Detect an invalid intervalCount in SkRegion during deserialiation. [Cherry-pick from 675576f023c8fa10cdb0c18bc0a6c214e0bab069 to M51 branch.] TBR=robertphillips@google.com BUG=609260 GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1961463003 Original Review-Url: https://codereview.chromium.org/1961463003 NOTREECHECKS=true NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/2027643002

commit: e181e8b6235ec8f5d7f1ba49001a534c64f6974a [log] [tgz]
author: senorblanco <senorblanco@chromium.org> Tue May 31 07:47:50 2016 -0700
committer: Commit bot <commit-bot@chromium.org> Tue May 31 07:47:50 2016 -0700
tree: 6e2543c22c4c0647477c2e13571d68ee3debc9b6
parent: 0e0d609546200bef8a000924092fd432da414c2a [diff]
diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp
index 38d12d2..a50425a 100644
--- a/src/core/SkRegion.cpp
+++ b/src/core/SkRegion.cpp

@@ -1136,7 +1136,8 @@
             tmp.fRunHead = SkRegion_gRectRunHeadPtr;
         } else {
             int32_t ySpanCount, intervalCount;
-            if (buffer.readS32(&ySpanCount) && buffer.readS32(&intervalCount)) {
+            if (buffer.readS32(&ySpanCount) && buffer.readS32(&intervalCount) &&
+                intervalCount > 1) {
                 tmp.allocateRuns(count, ySpanCount, intervalCount);
                 buffer.read(tmp.fRunHead->writable_runs(), count * sizeof(RunType));
             }
commit	e181e8b6235ec8f5d7f1ba49001a534c64f6974a	[log] [tgz]
author	senorblanco <senorblanco@chromium.org>	Tue May 31 07:47:50 2016 -0700
committer	Commit bot <commit-bot@chromium.org>	Tue May 31 07:47:50 2016 -0700
tree	6e2543c22c4c0647477c2e13571d68ee3debc9b6
parent	0e0d609546200bef8a000924092fd432da414c2a [diff]