From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian Osman <brianosman@google.com>
Date: Thu, 29 Aug 2024 11:52:35 -0400
Subject: [PATCH] Prevent overflow when growing an SkRegion's RunArray

Bug: 350118416
Test: N/A -- speculative issue without repro case
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894836
Reviewed-by: Robert Phillips <robertphillips@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85802e6d648a7831a26cc856fa5e33da94ed23f0)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6ed907c5f18a646c9150e41b74ef45ca08518830)
Merged-In: Iea27fe62ef97deb8a75e8dae276657d809223b57
Change-Id: Iea27fe62ef97deb8a75e8dae276657d809223b57
---
 src/core/SkRegion.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp
index 9176c7a55c..f97da2e9dd 100644
--- a/src/core/SkRegion.cpp
+++ b/src/core/SkRegion.cpp
@@ -53,8 +53,10 @@ public:
     /** Resize the array to a size greater-than-or-equal-to count. */
     void resizeToAtLeast(int count) {
         if (count > fCount) {
-            // leave at least 50% extra space for future growth.
-            count += count >> 1;
+            // leave at least 50% extra space for future growth (unless adding would overflow)
+            SkSafeMath safe;
+            int newCount = safe.addInt(count, count >> 1);
+            count = safe ? newCount : SK_MaxS32;
             fMalloc.realloc(count);
             if (fPtr == fStack) {
                 memcpy(fMalloc.get(), fStack, fCount * sizeof(SkRegionPriv::RunType));