Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / skqp / c4f66af20e3a58a09554eb3db2bf45c6291fe3a8^! / .
commitc4f66af20e3a58a09554eb3db2bf45c6291fe3a8[log] [tgz]
authorYuqian Li <liyuqian@google.com>Fri Nov 11 09:36:53 2016 -0500
committerSkia Commit-Bot <skia-commit-bot@chromium.org>Fri Nov 11 16:11:52 2016 +0000
treee80421553604c04d13dcf5bc4d9cc97e9f7ca17a
parentb0b5360ae4078560b2f5f8508471129e4dd1cee6 [diff]
Catch width overflow

BUG=chromium:662730

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=4628

Change-Id: Iaf3a30d39fda3166a6f8fc62a30580629418dc88
Reviewed-on: https://skia-review.googlesource.com/4628
Reviewed-by: Cary Clark <caryclark@google.com>
Commit-Queue: Yuqian Li <liyuqian@google.com>

diff --git a/src/core/SkScan_AAAPath.cpp b/src/core/SkScan_AAAPath.cpp
index 16b5561..4bbeccf 100644
--- a/src/core/SkScan_AAAPath.cpp
+++ b/src/core/SkScan_AAAPath.cpp

@@ -153,7 +153,11 @@
     int getWidth() override { return fClipRect.width(); }
 
     static bool canHandleRect(const SkIRect& bounds) {
-        int width = bounds.width();
+        // The width may overflow signed int, e.g., left = -2147483648, right = 1
+        unsigned width = bounds.width();
+        if (width > MaskAdditiveBlitter::kMAX_WIDTH) {
+            return false;
+        }
         int64_t rb = SkAlign4(width);
         // use 64bits to detect overflow
         int64_t storage = rb * bounds.height();

diff --git a/tests/PathTest.cpp b/tests/PathTest.cpp
index b79b5cc..b8247ed 100644
--- a/tests/PathTest.cpp
+++ b/tests/PathTest.cpp

@@ -4260,6 +4260,20 @@
     surface->getCanvas()->drawRectCoords(0, 0, 100, 100, paint);
 }
 
+static void test_fuzz_crbug_662730(skiatest::Reporter* reporter) {
+    SkPath path;
+    path.moveTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000));  // 0, 0
+    path.lineTo(SkBits2Float(0xd5394437), SkBits2Float(0x37373737));  // -1.2731e+13f, 1.09205e-05f
+    path.lineTo(SkBits2Float(0x37373737), SkBits2Float(0x37373737));  // 1.09205e-05f, 1.09205e-05f
+    path.lineTo(SkBits2Float(0x37373745), SkBits2Float(0x0001b800));  // 1.09205e-05f, 1.57842e-40f
+    path.close();
+
+    auto surface = SkSurface::MakeRasterN32Premul(100, 100);
+    SkPaint paint;
+    paint.setAntiAlias(true);
+    surface->getCanvas()->drawPath(path, paint);
+}
+
 static void test_interp(skiatest::Reporter* reporter) {
     SkPath p1, p2, out;
     REPORTER_ASSERT(reporter, p1.isInterpolatable(p2));
@@ -4315,6 +4329,7 @@
     test_fuzz_crbug_627414(reporter);
     test_path_crbug364224();
     test_fuzz_crbug_662952(reporter);
+    test_fuzz_crbug_662730(reporter);
 
     SkTSize<SkScalar>::Make(3,4);