Bug 1287515 - limit the number of points in SkDashPathEffect::asPoints. r=mchang
authorLee Salzman <lsalzman@mozilla.com>
Wed, 20 Jul 2016 23:35:35 -0400
changeset 346023 4bc6b6fe87b67765de7b010ecf0c2e8802a13170
parent 346022 439867de69353a878b0bf43b6d5d00e92d678304
child 346024 3119db384fccddf90d5926a2e11296d9b280ae4a
push id6389
push userraliiev@mozilla.com
push dateMon, 19 Sep 2016 13:38:22 +0000
treeherdermozilla-beta@01d67bfe6c81 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmchang
bugs1287515
milestone50.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1287515 - limit the number of points in SkDashPathEffect::asPoints. r=mchang MozReview-Commit-ID: 4QI82EfsHh6
dom/canvas/crashtests/1287515-1.html
dom/canvas/crashtests/crashtests.list
gfx/skia/skia/src/effects/SkDashPathEffect.cpp
new file mode 100644
--- /dev/null
+++ b/dom/canvas/crashtests/1287515-1.html
@@ -0,0 +1,7 @@
+<canvas id='i0'></canvas>
+<script>
+var c=document.getElementById('i0').getContext('2d');
+c.lineWidth=Number.MAX_SAFE_INTEGER;
+c.setLineDash([1]);
+c.strokeRect(1,1,0,Number.MIN_SAFE_INTEGER);
+</script>
--- a/dom/canvas/crashtests/crashtests.list
+++ b/dom/canvas/crashtests/crashtests.list
@@ -24,8 +24,9 @@ load 1161277-1.html
 load 1183363.html
 load 1190705.html
 load 1223740-1.html
 load 1225381-1.html
 skip-if(azureCairo) load 1229983-1.html
 load 1229932-1.html
 load 1244850-1.html
 load 1246775-1.html
+load 1287515-1.html
--- a/gfx/skia/skia/src/effects/SkDashPathEffect.cpp
+++ b/gfx/skia/skia/src/effects/SkDashPathEffect.cpp
@@ -243,17 +243,25 @@ bool SkDashPathEffect::asPoints(PointDat
                 len2 -= fIntervals[1];  // also skip first space
                 if (len2 < 0) {
                     len2 = 0;
                 }
             } else {
                 len2 -= clampedInitialDashLength; // skip initial partial empty
             }
         }
-        int numMidPoints = SkScalarFloorToInt(len2 / fIntervalLength);
+        // Too many midpoints can cause results->fNumPoints to overflow or
+        // otherwise cause the results->fPoints allocation below to OOM.
+        // Cap it to a sane value.
+        static const SkScalar kMaxPoints = 1000000;
+        SkScalar numIntervals = len2 / fIntervalLength;
+        if (!SkScalarIsFinite(numIntervals) || numIntervals > kMaxPoints) {
+            return false;
+        }
+        int numMidPoints = SkScalarFloorToInt(numIntervals);
         results->fNumPoints += numMidPoints;
         len2 -= numMidPoints * fIntervalLength;
         bool partialLast = false;
         if (len2 > 0) {
             if (len2 < fIntervals[0]) {
                 partialLast = true;
             } else {
                 ++numMidPoints;