From 2ff257bd95c732b9cebc3aac03fbed72d6e6082a Mon Sep 17 00:00:00 2001 From: reed Date: Fri, 23 Jan 2015 07:51:14 -0800 Subject: [PATCH] check for too-large rowBytes BUG=446164 Review URL: https://codereview.chromium.org/871993003 --- src/core/SkMallocPixelRef.cpp | 5 +++-- tests/BitmapTest.cpp | 16 +++++++++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/src/core/SkMallocPixelRef.cpp b/src/core/SkMallocPixelRef.cpp index f4ba969..12aa1f6 100644 --- a/src/core/SkMallocPixelRef.cpp +++ b/src/core/SkMallocPixelRef.cpp @@ -56,8 +56,9 @@ SkMallocPixelRef* SkMallocPixelRef::NewAllocate(const SkImageInfo& info, return NULL; } - int32_t minRB = SkToS32(info.minRowBytes()); - if (minRB < 0) { + // only want to permit 31bits of rowBytes + int64_t minRB = (int64_t)info.minRowBytes64(); + if (minRB < 0 || !sk_64_isS32(minRB)) { return NULL; // allocation will be too large } if (requestedRowBytes > 0 && (int32_t)requestedRowBytes < minRB) { diff --git a/tests/BitmapTest.cpp b/tests/BitmapTest.cpp index ef69531..f3d8faa 100644 --- a/tests/BitmapTest.cpp +++ b/tests/BitmapTest.cpp @@ -6,9 +6,22 @@ */ #include "SkBitmap.h" - +#include "SkMallocPixelRef.h" #include "Test.h" +// https://code.google.com/p/chromium/issues/detail?id=446164 +static void test_bigalloc(skiatest::Reporter* reporter) { + const int width = 0x40000001; + const int height = 0x00000096; + const SkImageInfo info = SkImageInfo::MakeN32Premul(width, height); + + SkBitmap bm; + REPORTER_ASSERT(reporter, !bm.tryAllocPixels(info)); + + SkPixelRef* pr = SkMallocPixelRef::NewAllocate(info, info.minRowBytes(), NULL); + REPORTER_ASSERT(reporter, !pr); +} + static void test_allocpixels(skiatest::Reporter* reporter) { const int width = 10; const int height = 10; @@ -81,4 +94,5 @@ DEF_TEST(Bitmap, reporter) { test_bigwidth(reporter); test_allocpixels(reporter); + test_bigalloc(reporter); } -- 2.7.4