From 4f4be35fa3048c0acadeb8bb31a36c2e90ed3ce9 Mon Sep 17 00:00:00 2001
From: Matt Woodrow <mwoodrow@mozilla.com>
Date: Fri, 14 Dec 2018 01:30:40 +0000
Subject: [PATCH] Bug 1490702 - Verify values read from the input, even when we
 decide we don't need to draw the current command. r=jrmuizel

extra_end gets copied to offset, which can be used in the following command (and needs to be sanitized).

Differential Revision: https://phabricator.services.mozilla.com/D14345

--HG--
extra : moz-landing-system : lando
---
 gfx/webrender_bindings/Moz2DImageRenderer.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gfx/webrender_bindings/Moz2DImageRenderer.cpp b/gfx/webrender_bindings/Moz2DImageRenderer.cpp
index bf2e3077d58e..ffa1ed44baaa 100644
--- a/gfx/webrender_bindings/Moz2DImageRenderer.cpp
+++ b/gfx/webrender_bindings/Moz2DImageRenderer.cpp
@@ -408,6 +408,9 @@ static bool Moz2DRenderCallback(const Range<const uint8_t> aBlob,
   while (reader.pos < reader.len) {
     size_t end = reader.ReadSize();
     size_t extra_end = reader.ReadSize();
+    MOZ_RELEASE_ASSERT(extra_end >= end);
+    MOZ_RELEASE_ASSERT(extra_end < aBlob.length());
+
     auto combinedBounds = absBounds.Intersect(reader.ReadBounds());
     if (combinedBounds.IsEmpty()) {
       offset = extra_end;
@@ -415,9 +418,6 @@ static bool Moz2DRenderCallback(const Range<const uint8_t> aBlob,
     }
 
     layers::WebRenderTranslator translator(dt);
-
-    MOZ_RELEASE_ASSERT(extra_end >= end);
-    MOZ_RELEASE_ASSERT(extra_end < aBlob.length());
     Reader fontReader(aBlob.begin().get() + end, extra_end - end);
     size_t count = fontReader.ReadSize();
     for (size_t i = 0; i < count; i++) {