check for too-large rowBytes

BUG=446164

Review URL: https://codereview.chromium.org/871993003

2 files changed, 18 insertions, 3 deletions

diff --git a/src/core/SkMallocPixelRef.cpp b/src/core/SkMallocPixelRef.cpp
index f4ba969662..12aa1f63d6 100644
--- a/src/core/SkMallocPixelRef.cpp
+++ b/src/core/SkMallocPixelRef.cpp
@@ -56,8 +56,9 @@ SkMallocPixelRef* SkMallocPixelRef::NewAllocate(const SkImageInfo& info,
         return NULL;
     }
 
-    int32_t minRB = SkToS32(info.minRowBytes());
-    if (minRB < 0) {
+    // only want to permit 31bits of rowBytes
+    int64_t minRB = (int64_t)info.minRowBytes64();
+    if (minRB < 0 || !sk_64_isS32(minRB)) {
         return NULL;    // allocation will be too large
     }
     if (requestedRowBytes > 0 && (int32_t)requestedRowBytes < minRB) {
diff --git a/tests/BitmapTest.cpp b/tests/BitmapTest.cpp
index ef69531912..f3d8faa967 100644
--- a/tests/BitmapTest.cpp
+++ b/tests/BitmapTest.cpp
@@ -6,9 +6,22 @@
  */
 
 #include "SkBitmap.h"
-
+#include "SkMallocPixelRef.h"
 #include "Test.h"
 
+// https://code.google.com/p/chromium/issues/detail?id=446164
+static void test_bigalloc(skiatest::Reporter* reporter) {
+    const int width = 0x40000001;
+    const int height = 0x00000096;
+    const SkImageInfo info = SkImageInfo::MakeN32Premul(width, height);
+
+    SkBitmap bm;
+    REPORTER_ASSERT(reporter, !bm.tryAllocPixels(info));
+
+    SkPixelRef* pr = SkMallocPixelRef::NewAllocate(info, info.minRowBytes(), NULL);
+    REPORTER_ASSERT(reporter, !pr);
+}
+
 static void test_allocpixels(skiatest::Reporter* reporter) {
     const int width = 10;
     const int height = 10;
@@ -81,4 +94,5 @@ DEF_TEST(Bitmap, reporter) {
 
     test_bigwidth(reporter);
     test_allocpixels(reporter);
+    test_bigalloc(reporter);
 }