Google Git
Sign in
skia/skia/refs/heads/chrome/m51^!/.
commit
e181e8b6235ec8f5d7f1ba49001a534c64f6974a
[log] [tgz]
author
senorblanco <senorblanco@chromium.org>
Tue May 31 07:47:50 2016 -0700
committer
Commit bot <commit-bot@chromium.org>
Tue May 31 07:47:50 2016 -0700
tree
6e2543c22c4c0647477c2e13571d68ee3debc9b6
parent
0e0d609546200bef8a000924092fd432da414c2a [diff]
Detect an invalid intervalCount in SkRegion during deserialiation.

[Cherry-pick from 675576f023c8fa10cdb0c18bc0a6c214e0bab069 to M51 branch.]

TBR=robertphillips@google.com
BUG=609260
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1961463003

Original Review-Url: https://codereview.chromium.org/1961463003
NOTREECHECKS=true
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2027643002

diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp
index 38d12d2..a50425a 100644
--- a/src/core/SkRegion.cpp
+++ b/src/core/SkRegion.cpp

@@ -1136,7 +1136,8 @@
             tmp.fRunHead = SkRegion_gRectRunHeadPtr;
         } else {
             int32_t ySpanCount, intervalCount;
-            if (buffer.readS32(&ySpanCount) && buffer.readS32(&intervalCount)) {
+            if (buffer.readS32(&ySpanCount) && buffer.readS32(&intervalCount) &&
+                intervalCount > 1) {
                 tmp.allocateRuns(count, ySpanCount, intervalCount);
                 buffer.read(tmp.fRunHead->writable_runs(), count * sizeof(RunType));
             }