SkFontPriv::CountTextElements return type change (int → size_t) causes massive allocation on malformed UTF input
mattl...@live.com
Title: SkFontPriv::CountTextElements return type change (int → size_t) causes massive allocation on malformed UTF input
Component: Skia > Text
Severity: High (potential OOM / crash)
Introduced in: 7e2374fa4053 "Use size_t for font/typeface return values (to match span's)"
Description
In commit 7e2374fa4053, SkFontPriv::CountTextElements was changed from returning int to size_t, and SkFont::countText was changed similarly. However, the underlying SkUTF::CountUTF8 and SkUTF::CountUTF16 still return int and still use -1 as an error sentinel for malformed input.
In CountTextElements, the int return value from CountUTF8/CountUTF16 is implicitly converted to size_ton line 383 and line 385. When the input is malformed UTF, -1 becomes ~0ULL (18446744073709551615), and callers have no way to distinguish an error from a valid count.
Reproduction path
Pass malformed UTF-8 (e.g., an invalid lead byte or truncated sequence) to any API that goes through countText:
Impact
SkAutoToGlyphs calls font.countText() on line 99 and uses the result to allocate storage on line 100:
This affects measureText, getWidths, getBounds, getPos, and any other API that uses SkAutoToGlyphsinternally.
SkTypeface::textToGlyphs also calls CountTextElements on line 421 and uses the result for a size comparison and potential memcpy.
Suggested fix
Have CountTextElements guard against the signed→unsigned conversion: