diff options
author | 2013-12-04 17:06:49 +0000 | |
---|---|---|
committer | 2013-12-04 17:06:49 +0000 | |
commit | cd3b15ca6364a04b0eeeb4f89c7daa8aefe854c8 (patch) | |
tree | a8153f3f6fcd156fec3d8d46555c2d81c1e90b67 /src/effects/SkMagnifierImageFilter.cpp | |
parent | 2b7d4639901e03a43278dfec0b949bc4535b90e2 (diff) |
Fixed bad bitmap size crashes
There were 2 issues :
1 ) If the size of an SkBitmap's underlying SkPixelRef's alocated memory is too small to fit the bitmap, then the deserialization will now check this and set an error appropriately.
2 ) If a device fails to allocate its pixels, the device will be deleted and NULL will be returned to avoid attempting to draw on a bad device.
BUG=
R=senorblanco@chromium.org, reed@google.com, sugoi@google.com, halcanary@google.com, mtklein@google.com
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/92793002
git-svn-id: http://skia.googlecode.com/svn/trunk@12484 2bbb7eff-a529-9590-31e7-b0007b416f81
Diffstat (limited to 'src/effects/SkMagnifierImageFilter.cpp')
-rw-r--r-- | src/effects/SkMagnifierImageFilter.cpp | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/src/effects/SkMagnifierImageFilter.cpp b/src/effects/SkMagnifierImageFilter.cpp index d4120598f1..e6f3984bdd 100644 --- a/src/effects/SkMagnifierImageFilter.cpp +++ b/src/effects/SkMagnifierImageFilter.cpp @@ -240,7 +240,9 @@ SkMagnifierImageFilter::SkMagnifierImageFilter(SkFlattenableReadBuffer& buffer) fSrcRect = SkRect::MakeXYWH(x, y, width, height); fInset = buffer.readScalar(); - buffer.validate(SkIsValidRect(fSrcRect) && SkScalarIsFinite(fInset)); + buffer.validate(SkScalarIsFinite(fInset) && SkIsValidRect(fSrcRect) && + // Negative numbers in src rect are not supported + (fSrcRect.fLeft >= 0) && (fSrcRect.fTop >= 0)); } // FIXME: implement single-input semantics @@ -283,7 +285,9 @@ bool SkMagnifierImageFilter::onFilterImage(Proxy*, const SkBitmap& src, SkASSERT(fSrcRect.width() < src.width()); SkASSERT(fSrcRect.height() < src.height()); - if (src.config() != SkBitmap::kARGB_8888_Config) { + if ((src.config() != SkBitmap::kARGB_8888_Config) || + (fSrcRect.width() >= src.width()) || + (fSrcRect.height() >= src.height())) { return false; } @@ -293,13 +297,17 @@ bool SkMagnifierImageFilter::onFilterImage(Proxy*, const SkBitmap& src, return false; } + dst->setConfig(src.config(), src.width(), src.height()); + dst->allocPixels(); + if (!dst->getPixels()) { + return false; + } + SkScalar inv_inset = fInset > 0 ? SkScalarInvert(fInset) : SK_Scalar1; SkScalar inv_x_zoom = fSrcRect.width() / src.width(); SkScalar inv_y_zoom = fSrcRect.height() / src.height(); - dst->setConfig(src.config(), src.width(), src.height()); - dst->allocPixels(); SkColor* sptr = src.getAddr32(0, 0); SkColor* dptr = dst->getAddr32(0, 0); int width = src.width(), height = src.height(); @@ -332,8 +340,8 @@ bool SkMagnifierImageFilter::onFilterImage(Proxy*, const SkBitmap& src, SkScalar y_interp = SkScalarMul(weight, (fSrcRect.y() + y * inv_y_zoom)) + (SK_Scalar1 - weight) * y; - int x_val = SkMin32(SkScalarFloorToInt(x_interp), width - 1); - int y_val = SkMin32(SkScalarFloorToInt(y_interp), height - 1); + int x_val = SkPin32(SkScalarFloorToInt(x_interp), 0, width - 1); + int y_val = SkPin32(SkScalarFloorToInt(y_interp), 0, height - 1); *dptr = sptr[y_val * width + x_val]; dptr++; |