Chromium Code Reviews Chromium Code Reviews
Issue 116773002:
Fixed more fuzzer issues (Closed)
Base URL: https://skia.googlesource.com/skia.git@master| Index: src/effects/gradients/SkGradientShader.cpp |
| diff --git a/src/effects/gradients/SkGradientShader.cpp b/src/effects/gradients/SkGradientShader.cpp |
| index 5d200d18d354135f7f11e4807964631edc32409e..ee6984b8061bd3ff0ecba5bb13fcc2dcfb46a804 100644 |
| --- a/src/effects/gradients/SkGradientShader.cpp |
| +++ b/src/effects/gradients/SkGradientShader.cpp |
| @@ -154,8 +154,13 @@ SkGradientShaderBase::SkGradientShaderBase(SkFlattenableReadBuffer& buffer) : IN |
| int colorCount = fColorCount = buffer.getArrayCount(); |
| if (colorCount > kColorStorageCount) { |
| - size_t size = sizeof(SkColor) + sizeof(SkPMColor) + sizeof(Rec); |
| - fOrigColors = (SkColor*)sk_malloc_throw(size * colorCount); |
| + size_t allocSize = (sizeof(SkColor) + sizeof(SkPMColor) + sizeof(Rec)) * colorCount; |
| + if (buffer.validate(buffer.isAvailable(allocSize))) { |
|
reed1
2013/12/16 21:53:13
this double call pattern keeps appearing:
obj.val
sugoi
2013/12/17 15:55:45
Will do
|
| + fOrigColors = reinterpret_cast<SkColor*>(sk_malloc_throw(allocSize)); |
| + } else { |
| + fOrigColors = NULL; |
| + colorCount = fColorCount = 0; |
| + } |
| } else { |
| fOrigColors = fStorage; |
| } |
