Upstream version 10.39.225.0

[platform/framework/web/crosswalk.git] / src / third_party / skia / src / images / SkImageDecoder_libico.cpp

diff --git a/src/third_party/skia/src/images/SkImageDecoder_libico.cpp b/src/third_party/skia/src/images/SkImageDecoder_libico.cpp
index 90058d6..7855546 100644 (file)
--- a/src/third_party/skia/src/images/SkImageDecoder_libico.cpp
+++ b/src/third_party/skia/src/images/SkImageDecoder_libico.cpp
@@ -154,7 +154,8 @@ bool SkICOImageDecoder::onDecode(SkStream* stream, SkBitmap* bm, Mode mode)
     //int fakeBitCount = read2Bytes(buf, 12 + choice*16); //should be real - usually 0
     const size_t size = read4Bytes(buf, 14 + choice*16);           //matters?
     const size_t offset = read4Bytes(buf, 18 + choice*16);
-    if ((offset + size) > length) {
+    // promote the sum to 64-bits to avoid overflow
+    if (((uint64_t)offset + size) > length) {
         return false;
     }
 
@@ -163,6 +164,10 @@ bool SkICOImageDecoder::onDecode(SkStream* stream, SkBitmap* bm, Mode mode)
         SkMemoryStream subStream(buf + offset, size, false);
         SkAutoTDelete<SkImageDecoder> otherDecoder(SkImageDecoder::Factory(&subStream));
         if (otherDecoder.get() != NULL) {
+            // Disallow nesting ICO files within one another
+            if (otherDecoder->getFormat() == SkImageDecoder::kICO_Format) {
+                return false;
+            }
             // Set fields on the other decoder to be the same as this one.
             this->copyFieldsToOther(otherDecoder.get());
             if(otherDecoder->decode(&subStream, bm, this->getDefaultPref(), mode)) {