Fix array overrun and add test.

src/core/SkBlitter.cpp

 /*
  * Copyright 2006 The Android Open Source Project
  *
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include "SkBlitter.h"
 #include "SkAntiRun.h"
 #include "SkColor.h"
@@ skipping 108 matching lines @@
 
 void SkBlitter::blitMask(const SkMask& mask, const SkIRect& clip) {
     SkASSERT(mask.fBounds.contains(clip));
 
     if (mask.fFormat == SkMask::kBW_Format) {
         int cx = clip.fLeft;
         int cy = clip.fTop;
         int maskLeft = mask.fBounds.fLeft;
         int mask_rowBytes = mask.fRowBytes;
         int height = clip.height();
+        SkDEBUGCODE(const uint8_t* endOfImage =
+            mask.fImage + (mask.fBounds.fBottom - mask.fBounds.fTop) * mask_rowBytes;)
 
         const uint8_t* bits = mask.getAddr1(cx, cy);
 
         if (cx == maskLeft && clip.fRight == mask.fBounds.fRight) {
             while (--height >= 0) {
-                bits_to_runs(this, cx, cy, bits, 0xFF, mask_rowBytes, 0xFF);
+                SkASSERT(bits + mask_rowBytes <= endOfImage);
+                U8CPU rightMask = 0xFF << (8 - (clip.width() & 7));

[reed1, 2015/11/17 16:24:32]

note: this will be bigger than a byte, something you fixed below for rite_mask
with &. Do we need these two lines to be different?

[herb_g, 2015/11/17 20:14:03]

This ends up working because the bits_to_run code end up morally and'ing when
when checking test. It would be a bug below because of the rite_mask comparison
to zero. I rewrote the code.

+                bits_to_runs(this, cx, cy, bits, 0xFF, mask_rowBytes, rightMask);
                 bits += mask_rowBytes;
                 cy += 1;
             }
         } else {
             int left_edge = cx - maskLeft;
             SkASSERT(left_edge >= 0);
             int rite_edge = clip.fRight - maskLeft;
             SkASSERT(rite_edge > left_edge);
 
             int left_mask = 0xFF >> (left_edge & 7);
-            int rite_mask = 0xFF << (8 - (rite_edge & 7));
+            int rite_mask = (0xFF << (8 - (rite_edge & 7))) & 0xFF;
             int full_runs = (rite_edge >> 3) - ((left_edge + 7) >> 3);
 
             // check for empty right mask, so we don't read off the end (or go slower than we need to)
             if (rite_mask == 0) {
                 SkASSERT(full_runs >= 0);
                 full_runs -= 1;
                 rite_mask = 0xFF;
             }
             if (left_mask == 0xFF) {
                 full_runs -= 1;
             }
 
             // back up manually so we can keep in sync with our byte-aligned src
             // have cx reflect our actual starting x-coord
             cx -= left_edge & 7;
 
             if (full_runs < 0) {
                 SkASSERT((left_mask & rite_mask) != 0);
                 while (--height >= 0) {
+                    SkASSERT(bits + 1 <= endOfImage);
                     bits_to_runs(this, cx, cy, bits, left_mask, 1, rite_mask);
                     bits += mask_rowBytes;
                     cy += 1;
                 }
             } else {
                 while (--height >= 0) {
+                    SkASSERT(bits + full_runs + 2 <= endOfImage);
                     bits_to_runs(this, cx, cy, bits, left_mask, full_runs + 2, rite_mask);
                     bits += mask_rowBytes;
                     cy += 1;
                 }
             }
         }
     } else {
         int                         width = clip.width();
         SkAutoSTMalloc<64, int16_t> runStorage(width + 1);
         int16_t*                    runs = runStorage.get();
@@ skipping 787 matching lines @@
     fShaderContext->~Context();
     SkShader::Context* ctx = fShader->createContext(rec, (void*)fShaderContext);
     if (nullptr == ctx) {
         // Need a valid context in fShaderContext's storage, so we can later (or our caller) call
         // the in-place destructor.
         new (fShaderContext) SkZeroShaderContext(*fShader, rec);
         return false;
     }
     return true;
 }