An integer overflow is causing a memory allocation to succeed while it should fail for being too large.
BUG=445810
Review URL: https://codereview.chromium.org/
831583004
#ifndef SkTemplates_DEFINED
#define SkTemplates_DEFINED
+#include "SkMath.h"
#include "SkTypes.h"
#include <limits.h>
#include <new>
}
if (count > N) {
- fArray = (T*) sk_malloc_throw(count * sizeof(T));
+ const uint64_t size64 = sk_64_mul(count, sizeof(T));
+ const size_t size = static_cast<size_t>(size64);
+ if (size != size64) {
+ sk_out_of_memory();
+ }
+ fArray = (T*) sk_malloc_throw(size);
} else if (count > 0) {
fArray = (T*) fStorage;
} else {