Adding check on input count

An integer overflow is causing a memory allocation to succeed while it should fail for being too large.

BUG=445810

Review URL: https://codereview.chromium.org/831583004

diff --git a/include/core/SkTemplates.h b/include/core/SkTemplates.h
index 3571af6..6ab4439 100644 (file)
--- a/include/core/SkTemplates.h
+++ b/include/core/SkTemplates.h
@@ -10,6 +10,7 @@
 #ifndef SkTemplates_DEFINED
 #define SkTemplates_DEFINED
 
+#include "SkMath.h"
 #include "SkTypes.h"
 #include <limits.h>
 #include <new>
@@ -292,7 +293,12 @@ public:
             }
 
             if (count > N) {
-                fArray = (T*) sk_malloc_throw(count * sizeof(T));
+                const uint64_t size64 = sk_64_mul(count, sizeof(T));
+                const size_t size = static_cast<size_t>(size64);
+                if (size != size64) {
+                    sk_out_of_memory();
+                }
+                fArray = (T*) sk_malloc_throw(size);
             } else if (count > 0) {
                 fArray = (T*) fStorage;
             } else {