protect against fuzz generated fLastMoveToIndex If fLastMoveToIndex exceeds SkPath::countPoints(), SkPath::internalGetConvexity() reads outside allocated memory. R=kjlubick@google.com Bug: skia:11842 Change-Id: Iba20c1a977645d882f0b86c22134d1d055692a0c Reviewed-on: https://skia-review.googlesource.com/c/177801 Commit-Queue: Cary Clark <caryclark@skia.org> Commit-Queue: Kevin Lubick <kjlubick@google.com> Auto-Submit: Cary Clark <caryclark@skia.org> Reviewed-by: Kevin Lubick <kjlubick@google.com>

commit: eb82b5a3ee917654de6a60907e40ed8d3ef3d739 [log] [tgz]
author: Cary Clark <caryclark@skia.org> Fri Dec 14 10:15:13 2018 -0500
committer: Skia Commit-Bot <skia-commit-bot@chromium.org> Fri Dec 14 15:40:39 2018 +0000
tree: ed1d2a220841028cba7fff6b61c7afe6c1e0efc1
parent: af67819ee1d93fc4000c1ad777ce53ec87dc693a [diff]
diff --git a/src/core/SkPath.cpp b/src/core/SkPath.cpp
index 1fc75d2..3debecf 100644
--- a/src/core/SkPath.cpp
+++ b/src/core/SkPath.cpp

@@ -2803,7 +2803,11 @@
     };
 
     // Check to see if path changes direction more than three times as quick concave test
-    int pointCount = fLastMoveToIndex > 0 ? fLastMoveToIndex : this->countPoints();
+    int pointCount = this->countPoints();
+    // last moveTo index may exceed point count if data comes from fuzzer (via SkImageFilter)
+    if (0 < fLastMoveToIndex && fLastMoveToIndex < pointCount) {
+        pointCount = fLastMoveToIndex;
+    }
     if (pointCount > 3) {
         const SkPoint* points = fPathRef->points();
         const SkPoint* last = &points[pointCount];
commit	eb82b5a3ee917654de6a60907e40ed8d3ef3d739	[log] [tgz]
author	Cary Clark <caryclark@skia.org>	Fri Dec 14 10:15:13 2018 -0500
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>	Fri Dec 14 15:40:39 2018 +0000
tree	ed1d2a220841028cba7fff6b61c7afe6c1e0efc1
parent	af67819ee1d93fc4000c1ad777ce53ec87dc693a [diff]