commit 7469a9341afab19271b8ef07af5c16a0f2c4ccc1
author Brian Salomon <bsalomon@google.com> Mon Nov 12 10:53:33 2018 -0500
committer Skia Commit-Bot <skia-commit-bot@chromium.org> Mon Nov 12 15:55:40 2018 +0000
tree c6b0107b9bc37a65f886821b12afb55207bf7841
parent b8d8584833a4d3ab2d1202d11a09594a9cd5fbda

Validate allocation size in GrBufferAllocPool using SkSafeMath.

Bug: 895362

Cherry pick to M71

No-Tree-Checks: true
No-Try: true
No-Presubmit: true
Change-Id: I3a49bcd899760d33789a9df17a0a5f3556c879a5
Reviewed-On: https://skia-review.googlesource.com/c/163485
Reviewed-By: Brian Osman <brianosman@google.com>
Commit-Queue: Brian Salomon <bsalomon@google.com>
Reviewed-on: https://skia-review.googlesource.com/c/170349
Reviewed-by: Brian Salomon <bsalomon@google.com>

src/gpu/GrBufferAllocPool.cpp

diff --git a/src/gpu/GrBufferAllocPool.cpp b/src/gpu/GrBufferAllocPool.cpp
index 1f16c69..13ee40c 100644
--- a/src/gpu/GrBufferAllocPool.cpp
+++ b/src/gpu/GrBufferAllocPool.cpp
@@ -151,13 +151,18 @@
         BufferBlock& back = fBlocks.back();
         size_t usedBytes = back.fBuffer->gpuMemorySize() - back.fBytesFree;
         size_t pad = GrSizeAlignUpPad(usedBytes, alignment);
-        if ((size + pad) <= back.fBytesFree) {
+        SkSafeMath safeMath;
+        size_t alignedSize = safeMath.add(pad, size);
+        if (!safeMath.ok()) {
+            return nullptr;
+        }
+        if (alignedSize <= back.fBytesFree) {
             memset((void*)(reinterpret_cast<intptr_t>(fBufferPtr) + usedBytes), 0, pad);
             usedBytes += pad;
             *offset = usedBytes;
             *buffer = back.fBuffer;
-            back.fBytesFree -= size + pad;
-            fBytesInUse += size + pad;
+            back.fBytesFree -= alignedSize;
+            fBytesInUse += alignedSize;
             VALIDATE();
             return (void*)(reinterpret_cast<intptr_t>(fBufferPtr) + usedBytes);
         }