Verify size_t overflow

In 32 bits, it's possible that multiplying 2 32b values might overflow a size_t, which could be 32b unsigned in that context, so I added a check for size_t overflow.

BUG=445831

Review URL: https://codereview.chromium.org/836733005

1 files changed, 7 insertions, 6 deletions

diff --git a/src/core/SkBitmap.cpp b/src/core/SkBitmap.cpp
index 9db596de9c..c962aea21a 100644
--- a/src/core/SkBitmap.cpp
+++ b/src/core/SkBitmap.cpp
@@ -1202,16 +1202,17 @@ bool SkBitmap::ReadRawPixels(SkReadBuffer* buffer, SkBitmap* bitmap) {
     }
 
     const size_t ramRB = info.minRowBytes();
-    const int height = info.height();
-    const size_t snugSize = snugRB * height;
-    const size_t ramSize = ramRB * height;
-    if (!buffer->validate(snugSize <= ramSize)) {
+    const int height = SkMax32(info.height(), 0);
+    const uint64_t snugSize = sk_64_mul(snugRB, height);
+    const uint64_t ramSize = sk_64_mul(ramRB, height);
+    static const uint64_t max_size_t = (size_t)(-1);
+    if (!buffer->validate((snugSize <= ramSize) && (ramSize <= max_size_t))) {
         return false;
     }
 
-    SkAutoDataUnref data(SkData::NewUninitialized(ramSize));
+    SkAutoDataUnref data(SkData::NewUninitialized(SkToSizeT(ramSize)));
     char* dst = (char*)data->writable_data();
-    buffer->readByteArray(dst, snugSize);
+    buffer->readByteArray(dst, SkToSizeT(snugSize));
 
     if (snugSize != ramSize) {
         const char* srcRow = dst + snugRB * (height - 1);