Address two fuzzer bugs:

SkImageInfos that were made invalid weren't being caught
Messing with the size of a SAVE record wasn't being caught

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2104973003

Review-Url: https://codereview.chromium.org/2104973003

2 files changed, 7 insertions, 4 deletions

diff --git a/src/core/SkBitmap.cpp b/src/core/SkBitmap.cpp
index 8cb8e4d6fc..863169c458 100644
--- a/src/core/SkBitmap.cpp
+++ b/src/core/SkBitmap.cpp
@@ -1145,8 +1145,10 @@ bool SkBitmap::ReadRawPixels(SkReadBuffer* buffer, SkBitmap* bitmap) {
     SkImageInfo info;
     info.unflatten(*buffer);
 
-    // If there was an error reading "info", don't use it to compute minRowBytes()
-    if (!buffer->validate(true)) {
+    // If there was an error reading "info" or if it is bogus, 
+    // don't use it to compute minRowBytes()
+    if (!buffer->validate(SkColorTypeValidateAlphaType(info.colorType(),
+                                                       info.alphaType()))) {
         return false;
     }
 
diff --git a/src/core/SkPicturePlayback.cpp b/src/core/SkPicturePlayback.cpp
index 36d385c095..3cbcdbbd2f 100644
--- a/src/core/SkPicturePlayback.cpp
+++ b/src/core/SkPicturePlayback.cpp
@@ -543,8 +543,9 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader,
         case SAVE:
             // SKPs with version < 29 also store a SaveFlags param.
             if (size > 4) {
-                SkASSERT(8 == size);
-                reader->readInt();
+                if (reader->validate(8 == size)) {
+                    reader->readInt();
+                }
             }
             canvas->save();
             break;