Fixed bad bitmap size crashes

There were 2 issues :
1 ) If the size of an SkBitmap's underlying SkPixelRef's alocated memory is too small to fit the bitmap, then the deserialization will now check this and set an error appropriately.
2 ) If a device fails to allocate its pixels, the device will be deleted and NULL will be returned to avoid attempting to draw on a bad device.

BUG=
R=senorblanco@chromium.org, reed@google.com, sugoi@google.com, halcanary@google.com, mtklein@google.com

Author: sugoi@chromium.org

Review URL: https://codereview.chromium.org/92793002

git-svn-id: http://skia.googlecode.com/svn/trunk@12484 2bbb7eff-a529-9590-31e7-b0007b416f81

1 files changed, 5 insertions, 0 deletions

diff --git a/src/core/SkBitmap.cpp b/src/core/SkBitmap.cpp
index 9d4aa87c85..ad840c4390 100644
--- a/src/core/SkBitmap.cpp
+++ b/src/core/SkBitmap.cpp
@@ -1560,6 +1560,7 @@ void SkBitmap::unflatten(SkFlattenableReadBuffer& buffer) {
                     SkIsValidConfig(config) && validate_alphaType(config, alphaType));
 
     this->setConfig(config, width, height, rowBytes, alphaType);
+    buffer.validate(fRowBytes >= (fWidth * fBytesPerPixel));
 
     int reftype = buffer.readInt();
     if (buffer.validate((SERIALIZE_PIXELTYPE_REF_DATA == reftype) ||
@@ -1568,6 +1569,10 @@ void SkBitmap::unflatten(SkFlattenableReadBuffer& buffer) {
             case SERIALIZE_PIXELTYPE_REF_DATA: {
                 size_t offset = buffer.readUInt();
                 SkPixelRef* pr = buffer.readPixelRef();
+                if (!buffer.validate((NULL == pr) ||
+                       (pr->getAllocatedSizeInBytes() >= (offset + this->getSafeSize())))) {
+                    offset = 0;
+                }
                 SkSafeUnref(this->setPixelRef(pr, offset));
                 break;
             }