Google Git
Sign in
skia / skia / 23d432080cb8506bf8e371b1637ce8f2de9c0c05^! / .
commit23d432080cb8506bf8e371b1637ce8f2de9c0c05[log] [tgz]
authorsugoi <sugoi@chromium.org>Wed Jan 07 13:28:08 2015 -0800
committerCommit bot <commit-bot@chromium.org>Wed Jan 07 13:28:08 2015 -0800
tree05132c7f12be23c13ef49fabad2384dc150ae4cd
parenta7976be1dda98047251fd527990df562a47dda55 [diff]
Adding check on input count

An integer overflow is causing a memory allocation to succeed while it should fail for being too large.

BUG=445810

Review URL: https://codereview.chromium.org/831583004

diff --git a/include/core/SkTemplates.h b/include/core/SkTemplates.h
index 3571af6..6ab4439 100644
--- a/include/core/SkTemplates.h
+++ b/include/core/SkTemplates.h

@@ -10,6 +10,7 @@
 #ifndef SkTemplates_DEFINED
 #define SkTemplates_DEFINED
 
+#include "SkMath.h"
 #include "SkTypes.h"
 #include <limits.h>
 #include <new>
@@ -292,7 +293,12 @@
             }
 
             if (count > N) {
-                fArray = (T*) sk_malloc_throw(count * sizeof(T));
+                const uint64_t size64 = sk_64_mul(count, sizeof(T));
+                const size_t size = static_cast<size_t>(size64);
+                if (size != size64) {
+                    sk_out_of_memory();
+                }
+                fArray = (T*) sk_malloc_throw(size);
             } else if (count > 0) {
                 fArray = (T*) fStorage;
             } else {