Chrome SKIA Integer Overflow

When deserializing an SkPath, there is some basic validation performed to ensure that the contents are consistent. This validation does not use safe integer types, or perform additional validation, so it’s possible for a large path to overflow the point count, resulting in an unsafe SkPath object.   Exploit Files ≈ Packet Storm 

 

More To Explore