Chrome SKIA Integer Overflow

When deserializing an SkPath, there is some basic validation performed to ensure that the contents are consistent. This validation does not use safe integer types, or perform additional validation, so it’s possible for a large path to overflow the point count, resulting in an unsafe SkPath object.   Exploit Files ≈ Packet Storm 


More To Explore