diff options
author | commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> | 2013-12-04 17:06:49 +0000 |
---|---|---|
committer | commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> | 2013-12-04 17:06:49 +0000 |
commit | cd3b15ca6364a04b0eeeb4f89c7daa8aefe854c8 (patch) | |
tree | a8153f3f6fcd156fec3d8d46555c2d81c1e90b67 /include | |
parent | 2b7d4639901e03a43278dfec0b949bc4535b90e2 (diff) |
Fixed bad bitmap size crashes
There were 2 issues :
1 ) If the size of an SkBitmap's underlying SkPixelRef's alocated memory is too small to fit the bitmap, then the deserialization will now check this and set an error appropriately.
2 ) If a device fails to allocate its pixels, the device will be deleted and NULL will be returned to avoid attempting to draw on a bad device.
BUG=
R=senorblanco@chromium.org, reed@google.com, sugoi@google.com, halcanary@google.com, mtklein@google.com
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/92793002
git-svn-id: http://skia.googlecode.com/svn/trunk@12484 2bbb7eff-a529-9590-31e7-b0007b416f81
Diffstat (limited to 'include')
-rw-r--r-- | include/core/SkMallocPixelRef.h | 5 | ||||
-rw-r--r-- | include/core/SkPixelRef.h | 10 |
2 files changed, 13 insertions, 2 deletions
diff --git a/include/core/SkMallocPixelRef.h b/include/core/SkMallocPixelRef.h index 2241a513e7..100a15d90a 100644 --- a/include/core/SkMallocPixelRef.h +++ b/include/core/SkMallocPixelRef.h @@ -24,8 +24,6 @@ public: SkMallocPixelRef(void* addr, size_t size, SkColorTable* ctable, bool ownPixels = true); virtual ~SkMallocPixelRef(); - //! Return the allocation size for the pixels - size_t getSize() const { return fSize; } void* getAddr() const { return fStorage; } SK_DECLARE_PUBLIC_FLATTENABLE_DESERIALIZATION_PROCS(SkMallocPixelRef) @@ -38,6 +36,9 @@ protected: SkMallocPixelRef(SkFlattenableReadBuffer& buffer); virtual void flatten(SkFlattenableWriteBuffer&) const SK_OVERRIDE; + // Returns the allocation size for the pixels + virtual size_t getAllocatedSizeInBytes() const SK_OVERRIDE { return fSize; } + private: void* fStorage; size_t fSize; diff --git a/include/core/SkPixelRef.h b/include/core/SkPixelRef.h index d90e58719b..4c564e40c2 100644 --- a/include/core/SkPixelRef.h +++ b/include/core/SkPixelRef.h @@ -257,6 +257,16 @@ protected: // default impl returns NULL. virtual SkData* onRefEncodedData(); + /** + * Returns the size (in bytes) of the internally allocated memory. + * This should be implemented in all serializable SkPixelRef derived classes. + * SkBitmap::fPixelRefOffset + SkBitmap::getSafeSize() should never overflow this value, + * otherwise the rendering code may attempt to read memory out of bounds. + * + * @return default impl returns 0. + */ + virtual size_t getAllocatedSizeInBytes() const; + /** Return the mutex associated with this pixelref. This value is assigned in the constructor, and cannot change during the lifetime of the object. */ |