detect if makeOffset failed

If we don't detect this, this imagefilter might not write to all of the pixels
it claims it will, resulting in uninitialized memory.

Bug: oss-fuzz:7209
Change-Id: I6c53757046b4d6051da1b317310c89b8ec4752ca
Reviewed-on: https://skia-review.googlesource.com/119145
Reviewed-by: Mike Reed <reed@google.com>
Commit-Queue: Mike Reed <reed@google.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/src/effects/SkDisplacementMapEffect.cpp b/src/effects/SkDisplacementMapEffect.cpp
index 189102328b..5dd3ece316 100644
--- a/src/effects/SkDisplacementMapEffect.cpp
+++ b/src/effects/SkDisplacementMapEffect.cpp
@@ -269,6 +269,11 @@ sk_sp<SkSpecialImage> SkDisplacementMapEffect::onFilterImage(SkSpecialImage* sou
     }
 
     const SkIRect colorBounds = bounds.makeOffset(-colorOffset.x(), -colorOffset.y());
+    // If the offset overflowed (saturated) then we have to abort, as we need their
+    // dimensions to be equal. See https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7209
+    if (colorBounds.size() != bounds.size()) {
+        return nullptr;
+    }
 
     SkVector scale = SkVector::Make(fScale, fScale);
     ctx.ctm().mapVectors(&scale, 1);