From d62a29774cdb556db71fd0466d099fe35b7383bc Mon Sep 17 00:00:00 2001
From: Firefly <service@t-firefly.com>
Date: Thu, 15 Oct 2015 22:58:33 +0800
Subject: [PATCH] [external/skia] Merge tag 'android-5.1.1_r24' into dev

Android 5.1.1 release 24
---
 external/skia/src/core/SkRegionPriv.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/external/skia/src/core/SkRegionPriv.h b/external/skia/src/core/SkRegionPriv.h
index c8f000df35..00feedeab8 100644
--- a/external/skia/src/core/SkRegionPriv.h
+++ b/external/skia/src/core/SkRegionPriv.h
@@ -65,7 +65,10 @@ public:
 
         SkASSERT(count >= SkRegion::kRectRegionRuns);
 
-        RunHead* head = (RunHead*)sk_malloc_throw(sizeof(RunHead) + count * sizeof(RunType));
+        const int64_t size = sk_64_mul(count, sizeof(RunType)) + sizeof(RunHead);
+        if (count < 0 || !sk_64_isS32(size)) { SK_CRASH(); }
+
+        RunHead* head = (RunHead*)sk_malloc_throw(size);
         head->fRefCnt = 1;
         head->fRunCount = count;
         // these must be filled in later, otherwise we will be invalid