Fix integer overflow in SkColorSpace

src/core/SkColorSpace.cpp

 /*
  * Copyright 2016 Google Inc.
  *
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include "SkColorSpace.h"
 #include "SkColorSpace_Base.h"
 #include "SkEndian.h"
@@ skipping 348 matching lines @@
         return false;
     }
 
     dst[0] = SkFixedToFloat(read_big_endian_int(src + 8));
     dst[1] = SkFixedToFloat(read_big_endian_int(src + 12));
     dst[2] = SkFixedToFloat(read_big_endian_int(src + 16));
     SkColorSpacePrintf("XYZ %g %g %g\n", dst[0], dst[1], dst[2]);
     return true;
 }
 
+template <class T>
+static bool safe_add(T arg1, T arg2, size_t* result) {
+    SkASSERT(arg1 >= 0);
+    SkASSERT(arg2 >= 0);
+    if (arg1 >= 0 && arg2 <= std::numeric_limits<T>::max() - arg1) {
+        T sum = arg1 + arg2;
+        if (sum <= std::numeric_limits<size_t>::max()) {
+            *result = static_cast<size_t>(sum);
+            return true;
+        }
+    }
+    return false;
+}
+
 static constexpr uint32_t kTAG_CurveType     = SkSetFourByteTag('c', 'u', 'r', 'v');
 static constexpr uint32_t kTAG_ParaCurveType = SkSetFourByteTag('p', 'a', 'r', 'a');
 
 bool load_gammas(SkGammaCurve* gammas, uint32_t numGammas, const uint8_t* src, size_t len) {
     for (uint32_t i = 0; i < numGammas; i++) {
         if (len < 12) {
             // FIXME (msarett):
             // We could potentially return false here after correctly parsing *some* of the
             // gammas correctly.  Should we somehow try to indicate a partial success?
             SkColorSpacePrintf("gamma tag is too small (%d bytes)", len);
             return false;
         }
 
         // We need to count the number of bytes in the tag, so we are able to move to the
         // next tag on the next loop iteration.
         size_t tagBytes;
 
         uint32_t type = read_big_endian_uint(src);
         switch (type) {
             case kTAG_CurveType: {
                 uint32_t count = read_big_endian_uint(src + 8);
-                tagBytes = 12 + count * 2;
+
+                // tagBytes = 12 + 2 * count
+                // We need to do safe addition here to avoid integer overflow.
+                if (!safe_add(count, count, &tagBytes) ||
+                    !safe_add((size_t) 12, tagBytes, &tagBytes))
+                {
+                    SkColorSpacePrintf("Invalid gamma count");
+                    return false;
+                }
+
                 if (0 == count) {
                     // Some tags require a gamma curve, but the author doesn't actually want
                     // to transform the data.  In this case, it is common to see a curve with
                     // a count of 0.
                     gammas[i].fValue = 1.0f;
                     break;
                 } else if (len < tagBytes) {
                     SkColorSpacePrintf("gamma tag is too small (%d bytes)", len);
                     return false;
                 }
@@ skipping 647 matching lines @@
     ptr32[4] = SkEndian_SwapBE32(0x000116cc);
     ptr += kTAG_XYZ_Bytes;
 
     // Write copyright tag
     memcpy(ptr, gEmptyTextTag, sizeof(gEmptyTextTag));
 
     // TODO (msarett): Should we try to hold onto the data so we can return immediately if
     //                 the client calls again?
     return SkData::MakeFromMalloc(profile.release(), kICCProfileSize);
 }