Adding check on input count

src/core/SkImageFilter.cpp

Index: src/core/SkImageFilter.cpp
diff --git a/src/core/SkImageFilter.cpp b/src/core/SkImageFilter.cpp
index 3285e220de345a4940f5ec6c28d2600cfbb340dd..afada03c7816b2a54d7cdbcddbf1a819f21892ce 100644
--- a/src/core/SkImageFilter.cpp
+++ b/src/core/SkImageFilter.cpp
@@ -62,10 +62,15 @@ SkImageFilter::Common::~Common() {
     }
 }
 
-void SkImageFilter::Common::allocInputs(int count) {
+bool SkImageFilter::Common::allocInputs(size_t count) {
+    static const size_t maxInputs = ((size_t)(-1)) / sizeof(SkImageFilter*);

[Stephen White, 2015/01/07 19:31:12]

Division is kind of ugly. Could be (moving size computation up):

const uint64_t size64 = sk_mul_64(count, sizeof(SkImageFilter*));
const size_t size = (size_t) size64;
if (size != size64) {
  return false;
}

+    if (count > maxInputs) {
+        return false;
+    }
     const size_t size = count * sizeof(SkImageFilter*);
     fInputs.reset(count);
     sk_bzero(fInputs.get(), size);
+    return true;
 }
 
 void SkImageFilter::Common::detachInputs(SkImageFilter** inputs) {
@@ -76,14 +81,12 @@ void SkImageFilter::Common::detachInputs(SkImageFilter** inputs) {
 
 bool SkImageFilter::Common::unflatten(SkReadBuffer& buffer, int expectedCount) {
     const int count = buffer.readInt();
-    if (!buffer.validate(count >= 0)) {
-        return false;
-    }
-    if (!buffer.validate(expectedCount < 0 || count == expectedCount)) {
+    if (!buffer.validate((count >= 0) &&
+                         (expectedCount < 0 || count == expectedCount) &&
+                         (this->allocInputs(count)))) {
         return false;
     }
 
-    this->allocInputs(count);
     for (int i = 0; i < count; i++) {
         if (buffer.readBool()) {
             fInputs[i] = buffer.readImageFilter();