Adding check on input count
An integer overflow is causing a memory allocation to succeed while it should fail for being too large.
BUG=445810
Review URL: https://codereview.chromium.org/831583004
diff --git a/include/core/SkTemplates.h b/include/core/SkTemplates.h
index 3571af6..6ab4439 100644
--- a/include/core/SkTemplates.h
+++ b/include/core/SkTemplates.h
@@ -10,6 +10,7 @@
#ifndef SkTemplates_DEFINED
#define SkTemplates_DEFINED
+#include "SkMath.h"
#include "SkTypes.h"
#include <limits.h>
#include <new>
@@ -292,7 +293,12 @@
}
if (count > N) {
- fArray = (T*) sk_malloc_throw(count * sizeof(T));
+ const uint64_t size64 = sk_64_mul(count, sizeof(T));
+ const size_t size = static_cast<size_t>(size64);
+ if (size != size64) {
+ sk_out_of_memory();
+ }
+ fArray = (T*) sk_malloc_throw(size);
} else if (count > 0) {
fArray = (T*) fStorage;
} else {