From b0af0da933c8946e544267f1756cb9c598e776ab Mon Sep 17 00:00:00 2001
From: zhangxin11112342 <zhangxin531@h-partners.com>
Date: Fri, 11 Oct 2024 14:53:59 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DCVE-2024-9123?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: zhangxin11112342 <zhangxin531@h-partners.com>
---
 src/gpu/ganesh/ops/DrawAtlasOp.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/gpu/ganesh/ops/DrawAtlasOp.cpp b/src/gpu/ganesh/ops/DrawAtlasOp.cpp
index 776587d3..719d7fa0 100644
--- a/src/gpu/ganesh/ops/DrawAtlasOp.cpp
+++ b/src/gpu/ganesh/ops/DrawAtlasOp.cpp
@@ -112,7 +112,7 @@ DrawAtlasOpImpl::DrawAtlasOpImpl(GrProcessorSet* processorSet, const SkPMColor4f
         : GrMeshDrawOp(ClassID()), fHelper(processorSet, aaType), fColor(color) {
     SkASSERT(xforms);
     SkASSERT(rects);
-
+    SkASSERT(spriteCount >= 0);
     fViewMatrix = viewMatrix;
     Geometry& installedGeo = fGeoData.push_back();
     installedGeo.fColor = color;
@@ -127,6 +127,11 @@ DrawAtlasOpImpl::DrawAtlasOpImpl(GrProcessorSet* processorSet, const SkPMColor4f
         vertexStride += sizeof(GrColor);
     }
 
+    // Bail out if we'd overflow from a really large draw
+    if (spriteCount > SK_MaxS32 / static_cast<int>(4 * vertexStride)) {
+        return;
+    }
+
     // Compute buffer size and alloc buffer
     fQuadCount = spriteCount;
     int allocSize = static_cast<int>(4 * vertexStride * spriteCount);
-- 
Gitee