Fixed more fuzzer issues

- Added the "isAvailable" function to check how much bytes are remaining in the stream before doing potentially large mallocs. That way, we can signal a bad stream instead of crashing.
- Added data validation in SkImageInfo.cpp
- Added NULL pointer check in displacement
- Modified the fuzzer for randomized bitmap types

BUG=328934,329254
R=senorblanco@google.com, senorblanco@chromium.org, reed@google.com, sugoi@google.com

Author: sugoi@chromium.org

Review URL: https://codereview.chromium.org/116773002

git-svn-id: http://skia.googlecode.com/svn/trunk@12723 2bbb7eff-a529-9590-31e7-b0007b416f81

1 files changed, 9 insertions, 2 deletions

diff --git a/src/core/SkColorTable.cpp b/src/core/SkColorTable.cpp
index c719defe86..12ec43ec98 100644
--- a/src/core/SkColorTable.cpp
+++ b/src/core/SkColorTable.cpp
@@ -90,8 +90,15 @@ SkColorTable::SkColorTable(SkFlattenableReadBuffer& buffer) {
 
     fAlphaType = SkToU8(buffer.readUInt());
     fCount = buffer.getArrayCount();
-    fColors = (SkPMColor*)sk_malloc_throw(fCount * sizeof(SkPMColor));
-    SkDEBUGCODE(bool success =) buffer.readColorArray(fColors, fCount);
+    size_t allocSize = fCount * sizeof(SkPMColor);
+    SkDEBUGCODE(bool success = false;)
+    if (buffer.validateAvailable(allocSize)) {
+        fColors = (SkPMColor*)sk_malloc_throw(allocSize);
+        SkDEBUGCODE(success =) buffer.readColorArray(fColors, fCount);
+    } else {
+        fCount = 0;
+        fColors = NULL;
+    }
 #ifdef SK_DEBUG
     SkASSERT((unsigned)fCount <= 256);
     SkASSERT(success);