| Index: src/core/SkBitmap.cpp
|
| diff --git a/src/core/SkBitmap.cpp b/src/core/SkBitmap.cpp
|
| index 9d4aa87c857fa0bc62eb3bbf946b76e70940f70b..101f65488df3739a1eb749cf42762c494cadf4bf 100644
|
| --- a/src/core/SkBitmap.cpp
|
| +++ b/src/core/SkBitmap.cpp
|
| @@ -1560,6 +1560,7 @@ void SkBitmap::unflatten(SkFlattenableReadBuffer& buffer) {
|
| SkIsValidConfig(config) && validate_alphaType(config, alphaType));
|
|
|
| this->setConfig(config, width, height, rowBytes, alphaType);
|
| + buffer.validate(fRowBytes >= (fWidth * fBytesPerPixel));
|
|
|
| int reftype = buffer.readInt();
|
| if (buffer.validate((SERIALIZE_PIXELTYPE_REF_DATA == reftype) ||
|
| @@ -1568,6 +1569,10 @@ void SkBitmap::unflatten(SkFlattenableReadBuffer& buffer) {
|
| case SERIALIZE_PIXELTYPE_REF_DATA: {
|
| size_t offset = buffer.readUInt();
|
| SkPixelRef* pr = buffer.readPixelRef();
|
| + if (!buffer.validate((NULL == pr) ||
|
| + (pr->getSize() >= (offset + this->getSafeSize())))) {
|
| + offset = 0;
|
| + }
|
| SkSafeUnref(this->setPixelRef(pr, offset));
|
| break;
|
| }
|
|
|
Chromium Code Reviews
Issue 92793002:
Fixed bad bitmap size crashes (Closed)
Base URL: https://skia.googlecode.com/svn/trunk