From 20cba06a4bc9bde60b2dc37907d11ca81ba35ce8 Mon Sep 17 00:00:00 2001
From: Matt Sarett <msarett@google.com>
Date: Mon, 17 Oct 2016 12:30:39 -0400
Subject: [PATCH] Avoid integer overflow in SkIcoCodec

Definitely good to avoid overflow here.

FWIW, this looks to be harmless for Android's current use.
They will just fail later on when trying to allocate the
bitmap.

BUG=skia:5857

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=3527

Change-Id: Ia1fb7d864d21ecdb127a1dd1a72cab8375cb43fb
Reviewed-on: https://skia-review.googlesource.com/3527
Commit-Queue: Matt Sarett <msarett@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Leon Scroggins <scroggo@google.com>
---
 resources/invalid_images/int_overflow.ico | Bin 0 -> 323 bytes
 src/codec/SkIcoCodec.cpp                  |   9 +++++----
 tests/CodecTest.cpp                       |   7 +++++++
 3 files changed, 12 insertions(+), 4 deletions(-)
 create mode 100644 resources/invalid_images/int_overflow.ico

diff --git a/resources/invalid_images/int_overflow.ico b/resources/invalid_images/int_overflow.ico
new file mode 100644
index 0000000000000000000000000000000000000000..24a7c701f90172c0e041f59330e6b72418f0c6ab
GIT binary patch
literal 323
zcmah^F$%&!5S;TAEpv*90m-FKX9}^(1$=<5AIKwYk{8&gu@>K9nLk+ASOv9AbI!%s
z2@cH8-tIEH2MF{5cw|*HKx3H!SsA0UhFL)(chw=;+}yJu7oAdo0JvJEA_d5BY}#5E
zWQJqVnVy_!nbfXzhykVCUM|ng(_+L+WO(_7SK{Vqz26Wfj3&aJTu)hDik_y-gl@O&
p?h?Kj@L#}|!GF*;O;e9_IDe##`h$P{ZtN>-tyfypTENVucmr0-L{tC(

literal 0
HcmV?d00001

diff --git a/src/codec/SkIcoCodec.cpp b/src/codec/SkIcoCodec.cpp
index 63b72c4..d01904d 100644
--- a/src/codec/SkIcoCodec.cpp
+++ b/src/codec/SkIcoCodec.cpp
@@ -157,11 +157,12 @@ SkCodec* SkIcoCodec::NewFromStream(SkStream* stream) {
     }
 
     // Use the largest codec as a "suggestion" for image info
-    uint32_t maxSize = 0;
-    uint32_t maxIndex = 0;
-    for (int32_t i = 0; i < codecs->count(); i++) {
+    size_t maxSize = 0;
+    int maxIndex = 0;
+    for (int i = 0; i < codecs->count(); i++) {
         SkImageInfo info = codecs->operator[](i)->getInfo();
-        uint32_t size = info.width() * info.height();
+        size_t size = info.getSafeSize(info.minRowBytes());
+
         if (size > maxSize) {
             maxSize = size;
             maxIndex = i;
diff --git a/tests/CodecTest.cpp b/tests/CodecTest.cpp
index 4d18c61..a6058a9 100644
--- a/tests/CodecTest.cpp
+++ b/tests/CodecTest.cpp
@@ -1362,3 +1362,10 @@ DEF_TEST(Codec_rowsDecoded, r) {
     REPORTER_ASSERT(r, result == SkCodec::kIncompleteInput);
     REPORTER_ASSERT(r, rowsDecoded == 0);
 }
+
+DEF_TEST(Codec_IcoIntOverflow, r) {
+    // ASAN will complain if there is an issue.
+    SkBitmap bitmap;
+    const bool success = GetResourceAsBitmap("invalid_images/int_overflow.ico", &bitmap);
+    REPORTER_ASSERT(r, !success);
+}
-- 
2.7.4