Check negative overflow of quickSkFDot6Div

The following fuzz html reveals the bug in chromium content_shell

===html=begins===
<style>
*{min-width:4%;-webkit-border-radius:+256%;}
.CLASS11{text-decoration:rgba(128%,16129%,1%,0.0000000004656612317904879831274006762300773920593144339363789186) dotted blink;vertical-align:124px;-webkit-column-count:2147483655 !important;</style>
<h1 class="CLASS11 CLASS1">
>
B
<button>
<h4 class="CLASS11 CLASS12">
</h4>
<p>
c C
<table>
<caption class="CLASS11">
>
<ruby class="CLASS11 CLASS12">
</ruby>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA x
===html===ends===

BUG=chromium:662905
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2482863004

Review-Url: https://codereview.chromium.org/2482863004

diff --git a/src/core/SkAnalyticEdge.cpp b/src/core/SkAnalyticEdge.cpp
index fde37e0..c17426d 100644 (file)
--- a/src/core/SkAnalyticEdge.cpp
+++ b/src/core/SkAnalyticEdge.cpp
@@ -22,8 +22,11 @@ public:
 };
 
 static inline SkFixed quickSkFDot6Div(SkFDot6 a, SkFDot6 b) {
-    if (SkAbs32(b) < kInverseTableSize) {
-        SkASSERT((int64_t)a * QuickFDot6Inverse::Lookup(b) <= SK_MaxS32);
+    // Max inverse of b is 2^6 which is 2^22 in SkFixed format.
+    // Hence the safe value of abs(a) should be less than 2^10.
+    if (SkAbs32(b) < kInverseTableSize && SkAbs32(a) < (1 << 10)) {
+        SkASSERT((int64_t)a * QuickFDot6Inverse::Lookup(b) <= SK_MaxS32
+                && (int64_t)a * QuickFDot6Inverse::Lookup(b) >= SK_MinS32);
         SkFixed ourAnswer = (a * QuickFDot6Inverse::Lookup(b)) >> 6;
         #ifdef SK_DEBUG
         SkFixed directAnswer = SkFDot6Div(a, b);