Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(121)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/effects/SkMagnifierImageFilter.cpp

Issue 92793002: Fixed bad bitmap size crashes (Closed) Base URL: https://skia.googlecode.com/svn/trunk
Patch Set: Changed getSize name to getAllocatedSizeInBytes Created 7 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« include/core/SkMallocPixelRef.h ('K') | « src/effects/SkLightingImageFilter.cpp ('k') | src/effects/SkMatrixConvolutionImageFilter.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/effects/SkMagnifierImageFilter.cpp
diff --git a/src/effects/SkMagnifierImageFilter.cpp b/src/effects/SkMagnifierImageFilter.cpp
index d4120598f1b4d626d0dc583c65bacc57c4f15d00..e6f3984bddda3a5beb5393a09d17ccf0ac86e65e 100644
--- a/src/effects/SkMagnifierImageFilter.cpp
+++ b/src/effects/SkMagnifierImageFilter.cpp
@@ -240,7 +240,9 @@ SkMagnifierImageFilter::SkMagnifierImageFilter(SkFlattenableReadBuffer& buffer)
fSrcRect = SkRect::MakeXYWH(x, y, width, height);
fInset = buffer.readScalar();
- buffer.validate(SkIsValidRect(fSrcRect) && SkScalarIsFinite(fInset));
+ buffer.validate(SkScalarIsFinite(fInset) && SkIsValidRect(fSrcRect) &&
+ // Negative numbers in src rect are not supported
+ (fSrcRect.fLeft >= 0) && (fSrcRect.fTop >= 0));
}
// FIXME: implement single-input semantics
@@ -283,7 +285,9 @@ bool SkMagnifierImageFilter::onFilterImage(Proxy*, const SkBitmap& src,
SkASSERT(fSrcRect.width() < src.width());
SkASSERT(fSrcRect.height() < src.height());
- if (src.config() != SkBitmap::kARGB_8888_Config) {
+ if ((src.config() != SkBitmap::kARGB_8888_Config) ||
+ (fSrcRect.width() >= src.width()) ||
+ (fSrcRect.height() >= src.height())) {
return false;
}
@@ -293,13 +297,17 @@ bool SkMagnifierImageFilter::onFilterImage(Proxy*, const SkBitmap& src,
return false;
}
+ dst->setConfig(src.config(), src.width(), src.height());
+ dst->allocPixels();
+ if (!dst->getPixels()) {
+ return false;
+ }
+
SkScalar inv_inset = fInset > 0 ? SkScalarInvert(fInset) : SK_Scalar1;
SkScalar inv_x_zoom = fSrcRect.width() / src.width();
SkScalar inv_y_zoom = fSrcRect.height() / src.height();
- dst->setConfig(src.config(), src.width(), src.height());
- dst->allocPixels();
SkColor* sptr = src.getAddr32(0, 0);
SkColor* dptr = dst->getAddr32(0, 0);
int width = src.width(), height = src.height();
@@ -332,8 +340,8 @@ bool SkMagnifierImageFilter::onFilterImage(Proxy*, const SkBitmap& src,
SkScalar y_interp = SkScalarMul(weight, (fSrcRect.y() + y * inv_y_zoom)) +
(SK_Scalar1 - weight) * y;
- int x_val = SkMin32(SkScalarFloorToInt(x_interp), width - 1);
- int y_val = SkMin32(SkScalarFloorToInt(y_interp), height - 1);
+ int x_val = SkPin32(SkScalarFloorToInt(x_interp), 0, width - 1);
+ int y_val = SkPin32(SkScalarFloorToInt(y_interp), 0, height - 1);
*dptr = sptr[y_val * width + x_val];
dptr++;
« include/core/SkMallocPixelRef.h ('K') | « src/effects/SkLightingImageFilter.cpp ('k') | src/effects/SkMatrixConvolutionImageFilter.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698