From 7f1874127d99837017453a3d7a26932f08adb273 Mon Sep 17 00:00:00 2001 From: Shelly Lin Date: Mon, 19 Jan 2026 11:18:09 +0800 Subject: [PATCH] Bug 141873 - Limit the drawing function. r=ethan.chen,shawn.huang --- gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp | 24 +++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp b/gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp index 73b70bf86148..5a86aa2fe501 100644 --- a/gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp +++ b/gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp @@ -18,6 +18,10 @@ #include "SkTraceEvent.h" +#include "mozilla/CheckedInt.h" + +using mozilla::CheckedInt; + #ifdef SK_DEBUG #define VALIDATE validate #else @@ -345,9 +349,17 @@ void* GrVertexBufferAllocPool::makeSpace(size_t vertexSize, SkASSERT(buffer); SkASSERT(startVertex); + // Prevent integer overflow in buffer size calculation + CheckedInt totalSize = CheckedInt(vertexSize) * vertexCount; + if (!totalSize.isValid()) { + *buffer = nullptr; + *startVertex = 0; + return nullptr; + } + size_t offset = 0; // assign to suppress warning const GrGeometryBuffer* geomBuffer = nullptr; // assign to suppress warning - void* ptr = INHERITED::makeSpace(vertexSize * vertexCount, + void* ptr = INHERITED::makeSpace(totalSize.value(), vertexSize, &geomBuffer, &offset); @@ -372,9 +384,17 @@ void* GrIndexBufferAllocPool::makeSpace(int indexCount, SkASSERT(buffer); SkASSERT(startIndex); + // Prevent integer overflow in buffer size calculation + CheckedInt totalSize = CheckedInt(sizeof(uint16_t)) * indexCount; + if (!totalSize.isValid()) { + *buffer = nullptr; + *startIndex = 0; + return nullptr; + } + size_t offset = 0; // assign to suppress warning const GrGeometryBuffer* geomBuffer = nullptr; // assign to suppress warning - void* ptr = INHERITED::makeSpace(indexCount * sizeof(uint16_t), + void* ptr = INHERITED::makeSpace(totalSize.value(), sizeof(uint16_t), &geomBuffer, &offset); -- GitLab