mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-06-28 16:27:30 -04:00
35 lines
1.7 KiB
Diff
35 lines
1.7 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Brian Osman <brianosman@google.com>
|
|
Date: Thu, 29 Aug 2024 11:52:35 -0400
|
|
Subject: [PATCH] Prevent overflow when growing an SkRegion's RunArray
|
|
|
|
Bug: 350118416
|
|
Test: N/A -- speculative issue without repro case
|
|
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894836
|
|
Reviewed-by: Robert Phillips <robertphillips@google.com>
|
|
Commit-Queue: Brian Osman <brianosman@google.com>
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85802e6d648a7831a26cc856fa5e33da94ed23f0)
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6ed907c5f18a646c9150e41b74ef45ca08518830)
|
|
Merged-In: Iea27fe62ef97deb8a75e8dae276657d809223b57
|
|
Change-Id: Iea27fe62ef97deb8a75e8dae276657d809223b57
|
|
---
|
|
src/core/SkRegion.cpp | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp
|
|
index 9176c7a55c..f97da2e9dd 100644
|
|
--- a/src/core/SkRegion.cpp
|
|
+++ b/src/core/SkRegion.cpp
|
|
@@ -53,8 +53,10 @@ public:
|
|
/** Resize the array to a size greater-than-or-equal-to count. */
|
|
void resizeToAtLeast(int count) {
|
|
if (count > fCount) {
|
|
- // leave at least 50% extra space for future growth.
|
|
- count += count >> 1;
|
|
+ // leave at least 50% extra space for future growth (unless adding would overflow)
|
|
+ SkSafeMath safe;
|
|
+ int newCount = safe.addInt(count, count >> 1);
|
|
+ count = safe ? newCount : SK_MaxS32;
|
|
fMalloc.realloc(count);
|
|
if (fPtr == fStack) {
|
|
memcpy(fMalloc.get(), fStack, fCount * sizeof(SkRegionPriv::RunType));
|