Fixed array read error

In 32 bits, if the "element count" was under 32 bits, but "element count" * "element size" was over the 32 bit limit, the overflow was causing the read operation to appear as if it had succeded, even though it should have failed. BUG=456828 Review URL: https://codereview.chromium.org/904833003
author: sugoi <sugoi@chromium.org> 2015-02-09 13:17:21 -0800
committer: Commit bot <commit-bot@chromium.org> 2015-02-09 13:17:21 -0800
commit: 8e85761e5a4a0b169cf101c4d72142ee4b87d266 (patch)
tree: 60e6c0319819cf4ea0602eae0962231318c86beb /src
parent: 61adb1b6491db3d3552d09a1c69ba5a37beb38d5 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/src/core/SkValidatingReadBuffer.cpp b/src/core/SkValidatingReadBuffer.cpp
index 96b0863936..fd00e7d989 100644
--- a/src/core/SkValidatingReadBuffer.cpp
+++ b/src/core/SkValidatingReadBuffer.cpp
@@ -175,7 +175,9 @@ bool SkValidatingReadBuffer::readArray(void* value, size_t size, size_t elementS
     const uint32_t count = this->getArrayCount();
     this->validate(size == count);
     (void)this->skip(sizeof(uint32_t)); // Skip array count
+    const uint64_t byteLength64 = sk_64_mul(count, elementSize);
     const size_t byteLength = count * elementSize;
+    this->validate(byteLength == byteLength64);
     const void* ptr = this->skip(SkAlign4(byteLength));
     if (!fError) {
         memcpy(value, ptr, byteLength);
author	sugoi <sugoi@chromium.org>	2015-02-09 13:17:21 -0800
committer	Commit bot <commit-bot@chromium.org>	2015-02-09 13:17:21 -0800
commit	8e85761e5a4a0b169cf101c4d72142ee4b87d266 (patch)
tree	60e6c0319819cf4ea0602eae0962231318c86beb /src
parent	61adb1b6491db3d3552d09a1c69ba5a37beb38d5 (diff)