Prevent integer wrap around for malloc size when creating a SkRegion

BUG=484998 Review URL: https://codereview.chromium.org/1143603003
author: djsollen <djsollen@google.com> 2015-05-18 13:05:11 -0700
committer: Commit bot <commit-bot@chromium.org> 2015-05-18 13:05:11 -0700
commit: 38fd5fe289ec696632cdd8eed6ddf742dc315261 (patch)
tree: 21794d0b1eac9a7ee23704a1e9723f9b281d55e8 /src
parent: 9250d24de6bb7d26b462fb573f66431948496127 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/core/SkRegionPriv.h b/src/core/SkRegionPriv.h
index c8f000df35..00feedeab8 100644
--- a/src/core/SkRegionPriv.h
+++ b/src/core/SkRegionPriv.h
@@ -65,7 +65,10 @@ public:
 
         SkASSERT(count >= SkRegion::kRectRegionRuns);
 
-        RunHead* head = (RunHead*)sk_malloc_throw(sizeof(RunHead) + count * sizeof(RunType));
+        const int64_t size = sk_64_mul(count, sizeof(RunType)) + sizeof(RunHead);
+        if (count < 0 || !sk_64_isS32(size)) { SK_CRASH(); }
+
+        RunHead* head = (RunHead*)sk_malloc_throw(size);
         head->fRefCnt = 1;
         head->fRunCount = count;
         // these must be filled in later, otherwise we will be invalid
author	djsollen <djsollen@google.com>	2015-05-18 13:05:11 -0700
committer	Commit bot <commit-bot@chromium.org>	2015-05-18 13:05:11 -0700
commit	38fd5fe289ec696632cdd8eed6ddf742dc315261 (patch)
tree	21794d0b1eac9a7ee23704a1e9723f9b281d55e8 /src
parent	9250d24de6bb7d26b462fb573f66431948496127 (diff)