From 1fd666cbb9655e1ce5f37f435d1f9ea2d7b47827 Mon Sep 17 00:00:00 2001 From: fmalita Date: Sat, 28 May 2016 06:57:33 -0700 Subject: [PATCH] [M52] Cherry-pick e6c515f3d34096426b6822ad90a757131e8baf31 Fix int32 overflow in LinearGradientContext::shade4_dx_clamp The unconditional increment in shade4_dx_clamp can overflow int32 => n == SK_MinS32 => count ~= SK_MinS32 => we skip the main shader loop 'cause count < 0 Also include trivial 0e59bb7aaad272ac42d6fba53e8439bd9fa1ff3d followup to ensure we're not tripping ASAN. TBR=reed@google.com,mtklein@google.com BUG=chromium:599458 Review-Url: https://codereview.chromium.org/2010843002 NOTREECHECKS=true NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/2021673002 --- src/effects/gradients/SkLinearGradient.cpp | 12 ++++++++++-- tests/GradientTest.cpp | 20 ++++++++++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/src/effects/gradients/SkLinearGradient.cpp b/src/effects/gradients/SkLinearGradient.cpp index 1bdce39..7752aac 100644 --- a/src/effects/gradients/SkLinearGradient.cpp +++ b/src/effects/gradients/SkLinearGradient.cpp @@ -610,7 +610,11 @@ void SkLinearGradient::LinearGradientContext::shade4_dx_clamp(SkPMColor dstC[], if (dx_is_pos) { if (fx < 0) { - int n = SkTMin(SkFloatToIntFloor(-fx * invDx) + 1, count); + // count is guaranteed to be positive, but the first arg may overflow int32 after + // increment => casting to uint32 ensures correct clamping. + int n = SkTMin(static_cast(SkFloatToIntFloor(-fx * invDx)) + 1, + count); + SkASSERT(n > 0); fill(dstC, n, rec[0].fColor); count -= n; dstC += n; @@ -622,7 +626,11 @@ void SkLinearGradient::LinearGradientContext::shade4_dx_clamp(SkPMColor dstC[], } } else { // dx < 0 if (fx > 1) { - int n = SkTMin(SkFloatToIntFloor((1 - fx) * invDx) + 1, count); + // count is guaranteed to be positive, but the first arg may overflow int32 after + // increment => casting to uint32 ensures correct clamping. + int n = SkTMin(static_cast(SkFloatToIntFloor((1 - fx) * invDx)) + 1, + count); + SkASSERT(n > 0); fill(dstC, n, rec[fRecs.count() - 1].fColor); count -= n; dstC += n; diff --git a/tests/GradientTest.cpp b/tests/GradientTest.cpp index ac55d99..7add42d 100644 --- a/tests/GradientTest.cpp +++ b/tests/GradientTest.cpp @@ -234,6 +234,25 @@ static void test_two_point_conical_zero_radius(skiatest::Reporter* reporter) { REPORTER_ASSERT(reporter, SkGetPackedR32(centerPMColor) == 0); } +// http://crbug.com/599458 +static void test_clamping_overflow(skiatest::Reporter*) { + SkPaint p; + const SkColor colors[] = { SK_ColorRED, SK_ColorGREEN }; + const SkPoint pts1[] = { SkPoint::Make(1001, 1000001), SkPoint::Make(1000.99f, 1000000) }; + + p.setShader(SkGradientShader::MakeLinear(pts1, colors, nullptr, 2, SkShader::kClamp_TileMode)); + + sk_sp surface(SkSurface::MakeRasterN32Premul(50, 50)); + surface->getCanvas()->scale(100, 100); + surface->getCanvas()->drawPaint(p); + + const SkPoint pts2[] = { SkPoint::Make(10000.99f, 1000000), SkPoint::Make(10001, 1000001) }; + p.setShader(SkGradientShader::MakeLinear(pts2, colors, nullptr, 2, SkShader::kClamp_TileMode)); + surface->getCanvas()->drawPaint(p); + + // Passes if we don't trigger asserts. +} + DEF_TEST(Gradient, reporter) { TestGradientShaders(reporter); TestConstantGradient(reporter); @@ -241,4 +260,5 @@ DEF_TEST(Gradient, reporter) { test_nearly_vertical(reporter); test_linear_fuzz(reporter); test_two_point_conical_zero_radius(reporter); + test_clamping_overflow(reporter); } -- 2.7.4