commit 07afa23bd0fa74d18fb7faee898b2a876536a170
author Leon Scroggins III <scroggo@google.com> Mon Oct 22 13:16:37 2018 -0400
committer Skia Commit-Bot <skia-commit-bot@chromium.org> Mon Oct 22 17:41:52 2018 +0000
tree 23541146f2d22e19f263f561710e8fef864b12e0
parent 701167cfb9bf3e94ff2d8ebafb4eb9eff1f2e35e

Fix heap buffer overflow

Bug: oss-fuzz:11040

Because we're sampling, the offset ends up the same as the width. Back
up to the left enough to fit the bytes we will write.

Change-Id: Ie476a0191b66c2322446b9c0922f630d6e971645
Reviewed-on: https://skia-review.googlesource.com/c/164262
Commit-Queue: Leon Scroggins <scroggo@google.com>
Commit-Queue: Mike Klein <mtklein@google.com>
Auto-Submit: Leon Scroggins <scroggo@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>

src/codec/SkSwizzler.cpp

diff --git a/src/codec/SkSwizzler.cpp b/src/codec/SkSwizzler.cpp
index e1e2ecb..05636eb 100644
--- a/src/codec/SkSwizzler.cpp
+++ b/src/codec/SkSwizzler.cpp
@@ -1216,6 +1216,15 @@
     fSwizzleWidth = get_scaled_dimension(fSrcWidth, sampleX);
     fAllocatedWidth = get_scaled_dimension(fDstWidth, sampleX);
 
+    if (fDstOffsetBytes > 0) {
+        const size_t dstSwizzleBytes   = fSwizzleWidth   * fDstBPP;
+        const size_t dstAllocatedBytes = fAllocatedWidth * fDstBPP;
+        if (fDstOffsetBytes + dstSwizzleBytes > dstAllocatedBytes) {
+            SkASSERT(dstSwizzleBytes < dstAllocatedBytes);
+            fDstOffsetBytes = dstAllocatedBytes - dstSwizzleBytes;
+        }
+    }
+
     // The optimized swizzler functions do not support sampling.  Sampled swizzles
     // are already fast because they skip pixels.  We haven't seen a situation
     // where speeding up sampling has a significant impact on total decode time.