check for 0 upem in freetype

add 32bit-overflow check



git-svn-id: http://skia.googlecode.com/svn/trunk@165 2bbb7eff-a529-9590-31e7-b0007b416f81

1 files changed, 15 insertions, 2 deletions

diff --git a/src/images/SkImageDecoder_libpng.cpp b/src/images/SkImageDecoder_libpng.cpp
index 1d1dd34433..9c0b48d98f 100644
--- a/src/images/SkImageDecoder_libpng.cpp
+++ b/src/images/SkImageDecoder_libpng.cpp
@@ -259,7 +259,20 @@ bool SkPNGImageDecoder::onDecode(SkStream* sk_stream, SkBitmap* decodedBitmap,
             }
         }
     }
-    
+
+    // sanity check for size
+    {
+        Sk64 size;
+        size.setMul(origWidth, origHeight);
+        if (size.isNeg() || !size.is32()) {
+            return false;
+        }
+        // now check that if we are 4-bytes per pixel, we also don't overflow
+        if (size.get32() > (0x7FFFFFFF >> 2)) {
+            return false;
+        }
+    }
+
     if (!this->chooseFromOneChoice(config, origWidth, origHeight)) {
         return false;
     }
@@ -396,7 +409,7 @@ bool SkPNGImageDecoder::onDecode(SkStream* sk_stream, SkBitmap* decodedBitmap,
             SkAutoMalloc storage(origWidth * origHeight * srcBytesPerPixel);
             uint8_t* base = (uint8_t*)storage.get();
             size_t rb = origWidth * srcBytesPerPixel;
-            
+
             for (int i = 0; i < number_passes; i++) {
                 uint8_t* row = base;
                 for (png_uint_32 y = 0; y < origHeight; y++) {