check for too-large rowBytes
BUG=446164
Review URL: https://codereview.chromium.org/871993003
diff --git a/src/core/SkMallocPixelRef.cpp b/src/core/SkMallocPixelRef.cpp
index f4ba969..12aa1f6 100644
--- a/src/core/SkMallocPixelRef.cpp
+++ b/src/core/SkMallocPixelRef.cpp
@@ -56,8 +56,9 @@
return NULL;
}
- int32_t minRB = SkToS32(info.minRowBytes());
- if (minRB < 0) {
+ // only want to permit 31bits of rowBytes
+ int64_t minRB = (int64_t)info.minRowBytes64();
+ if (minRB < 0 || !sk_64_isS32(minRB)) {
return NULL; // allocation will be too large
}
if (requestedRowBytes > 0 && (int32_t)requestedRowBytes < minRB) {
diff --git a/tests/BitmapTest.cpp b/tests/BitmapTest.cpp
index ef69531..f3d8faa 100644
--- a/tests/BitmapTest.cpp
+++ b/tests/BitmapTest.cpp
@@ -6,9 +6,22 @@
*/
#include "SkBitmap.h"
-
+#include "SkMallocPixelRef.h"
#include "Test.h"
+// https://code.google.com/p/chromium/issues/detail?id=446164
+static void test_bigalloc(skiatest::Reporter* reporter) {
+ const int width = 0x40000001;
+ const int height = 0x00000096;
+ const SkImageInfo info = SkImageInfo::MakeN32Premul(width, height);
+
+ SkBitmap bm;
+ REPORTER_ASSERT(reporter, !bm.tryAllocPixels(info));
+
+ SkPixelRef* pr = SkMallocPixelRef::NewAllocate(info, info.minRowBytes(), NULL);
+ REPORTER_ASSERT(reporter, !pr);
+}
+
static void test_allocpixels(skiatest::Reporter* reporter) {
const int width = 10;
const int height = 10;
@@ -81,4 +94,5 @@
test_bigwidth(reporter);
test_allocpixels(reporter);
+ test_bigalloc(reporter);
}