Verify size_t overflow

src/core/SkBitmap.cpp

Index: src/core/SkBitmap.cpp
diff --git a/src/core/SkBitmap.cpp b/src/core/SkBitmap.cpp
index 9db596de9cc9023fe32ae9b5ba24ae473e041345..e446df9e201de9e99f56495cb7002f197980d30c 100644
--- a/src/core/SkBitmap.cpp
+++ b/src/core/SkBitmap.cpp
@@ -1202,16 +1202,17 @@ bool SkBitmap::ReadRawPixels(SkReadBuffer* buffer, SkBitmap* bitmap) {
     }
 
     const size_t ramRB = info.minRowBytes();
-    const int height = info.height();
-    const size_t snugSize = snugRB * height;
-    const size_t ramSize = ramRB * height;
-    if (!buffer->validate(snugSize <= ramSize)) {
+    const int height = SkMax32(info.height(), 0);

[sugoi1, 2015/01/07 16:09:04]

height can apparently be negative and valid, which just means "empty", so I have
to prevent negative numbers here to avoid the rest of the math being wrong since
it will use int64_t to multiply, which is a signed integer type

+    const uint64_t snugSize = sk_64_mul(snugRB, height);
+    const uint64_t ramSize = sk_64_mul(ramRB, height);
+    static const uint64_t max_size_t = (size_t)(-1);
+    if (!buffer->validate((snugSize <= ramSize) && (ramSize <= max_size_t))) {
         return false;
     }
 
-    SkAutoDataUnref data(SkData::NewUninitialized(ramSize));
+    SkAutoDataUnref data(SkData::NewUninitialized(static_cast<size_t>(ramSize)));

[sugoi1, 2015/01/07 16:09:04]

This cast and the following one should do nothing on 64b arch, but should
prevent warnings when compiling on 32b arch.

[reed1, 2015/01/07 16:19:35]

SkToSizeT(ramSize) -- this guy checks for overflow in debug builds, and performs
the cast.

[sugoi1, 2015/01/07 16:28:35]

Done.

     char* dst = (char*)data->writable_data();
-    buffer->readByteArray(dst, snugSize);
+    buffer->readByteArray(dst, static_cast<size_t>(snugSize));
 
     if (snugSize != ramSize) {
         const char* srcRow = dst + snugRB * (height - 1);