check for bad buffers in Unpack8

Bug:799918
Change-Id: I0502a487d67ce757bf818823cf0ad46b7703294c
Reviewed-on: https://skia-review.googlesource.com/92841
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Florin Malita <fmalita@chromium.org>

2 files changed, 4 insertions, 3 deletions

diff --git a/src/effects/SkPackBits.cpp b/src/effects/SkPackBits.cpp
index 286d9d140c..d2dfed9de1 100644
--- a/src/effects/SkPackBits.cpp
+++ b/src/effects/SkPackBits.cpp
@@ -88,13 +88,13 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize,
         unsigned n = *src++;
         if (n <= 127) {   // repeat count (n + 1)
             n += 1;
-            if (dst >(endDst - n)) {
+            if (dst > (endDst - n) || src >= stop) {
                 return 0;
             }
             memset(dst, *src++, n);
         } else {    // same count (n - 127)
             n -= 127;
-            if (dst > (endDst - n)) {
+            if (dst > (endDst - n) || src > (stop - n)) {
                 return 0;
             }
             memcpy(dst, src, n);
@@ -103,5 +103,6 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize,
         dst += n;
     }
     SkASSERT(src <= stop);
+    SkASSERT(dst <= endDst);
     return SkToInt(dst - origDst);
 }
diff --git a/src/effects/SkPackBits.h b/src/effects/SkPackBits.h
index 2dc7677afc..773b13e0c1 100644
--- a/src/effects/SkPackBits.h
+++ b/src/effects/SkPackBits.h
@@ -36,7 +36,7 @@ public:
         @param srcSize  Number of bytes of src to unpack
         @param dst      Buffer (allocated by caller) to expand the src[] into.
         @param dstSize  Number of bytes in the output buffer.
-        @return the number of bytes written into dst.
+        @return the number of bytes written into dst, or 0 if srcSize or dstSize are too small.
     */
     static int Unpack8(const uint8_t src[], size_t srcSize, uint8_t dst[],
                        size_t dstSize);