check for 0 upem in freetype

author reed@android.com <reed@android.com@2bbb7eff-a529-9590-31e7-b0007b416f81>

Mon, 4 May 2009 15:00:11 +0000 (15:00 +0000)

committer reed@android.com <reed@android.com@2bbb7eff-a529-9590-31e7-b0007b416f81>

Mon, 4 May 2009 15:00:11 +0000 (15:00 +0000)
author reed@android.com <reed@android.com@2bbb7eff-a529-9590-31e7-b0007b416f81>
Mon, 4 May 2009 15:00:11 +0000 (15:00 +0000)
committer reed@android.com <reed@android.com@2bbb7eff-a529-9590-31e7-b0007b416f81>
Mon, 4 May 2009 15:00:11 +0000 (15:00 +0000)
diff --git a/src/images/SkImageDecoder_libpng.cpp b/src/images/SkImageDecoder_libpng.cpp

index 1d1dd34..9c0b48d 100644 (file)
--- a/src/images/SkImageDecoder_libpng.cpp
+++ b/src/images/SkImageDecoder_libpng.cpp
@@ -259,7 +259,20 @@ bool SkPNGImageDecoder::onDecode(SkStream* sk_stream, SkBitmap* decodedBitmap,
              }
          }
      }
-    
+
+    // sanity check for size
+    {
+        Sk64 size;
+        size.setMul(origWidth, origHeight);
+        if (size.isNeg() || !size.is32()) {
+            return false;
+        }
+        // now check that if we are 4-bytes per pixel, we also don't overflow
+        if (size.get32() > (0x7FFFFFFF >> 2)) {
+            return false;
+        }
+    }
+
      if (!this->chooseFromOneChoice(config, origWidth, origHeight)) {
          return false;
      }
@@ -396,7 +409,7 @@ bool SkPNGImageDecoder::onDecode(SkStream* sk_stream, SkBitmap* decodedBitmap,
              SkAutoMalloc storage(origWidth * origHeight * srcBytesPerPixel);
              uint8_t* base = (uint8_t*)storage.get();
              size_t rb = origWidth * srcBytesPerPixel;
-            
+
              for (int i = 0; i < number_passes; i++) {
                  uint8_t* row = base;
                  for (png_uint_32 y = 0; y < origHeight; y++) {
diff --git a/src/ports/SkFontHost_FreeType.cpp b/src/ports/SkFontHost_FreeType.cpp

index 94d5b4b..556b307 100644 (file)
--- a/src/ports/SkFontHost_FreeType.cpp
+++ b/src/ports/SkFontHost_FreeType.cpp
@@ -750,6 +750,7 @@ void SkScalerContext_FreeType::generateFontMetrics(SkPaint::FontMetrics* mx,
      SkAutoMutexAcquire  ac(gFTMutex);
  
      if (this->setupSize()) {
+        ERROR:
          if (mx) {
              bzero(mx, sizeof(SkPaint::FontMetrics));
          }
@@ -759,10 +760,14 @@ void SkScalerContext_FreeType::generateFontMetrics(SkPaint::FontMetrics* mx,
          return;
      }
  
+    FT_Face face = fFace;
+    int upem = face->units_per_EM;
+    if (upem <= 0) {
+        goto ERROR;
+    }
+
      SkPoint pts[6];
      SkFixed ys[6];
-    FT_Face face = fFace;
-    int     upem = face->units_per_EM;
      SkFixed scaleY = fScaleY;
      SkFixed mxy = fMatrix22.xy;
      SkFixed myy = fMatrix22.yy;
author	reed@android.com <reed@android.com@2bbb7eff-a529-9590-31e7-b0007b416f81>
	Mon, 4 May 2009 15:00:11 +0000 (15:00 +0000)
committer	reed@android.com <reed@android.com@2bbb7eff-a529-9590-31e7-b0007b416f81>
	Mon, 4 May 2009 15:00:11 +0000 (15:00 +0000)
src/images/SkImageDecoder_libpng.cpp		patch \| blob \| history
src/ports/SkFontHost_FreeType.cpp		patch \| blob \| history