fix mask address calculation

Switching the math from using fMaskPtr.stride to using mask.fRowBytes fixes the integer overflow here. However, if done naively it'd still do the math wrong, as mask.fRowBytes is stored as a uint32_t, and the 32-bit overflow still happens, silently. So we explicitly promote to size_t too. As a follow up we should consider turning on 'integer' sanitizer, which treats unsigned integer overflow as an error. Even though it's technically defined, it's likely not intended. Bug: skia:7563 Change-Id: Ia579d4f5615ed28180e6aaf3d4c3b54f516e655c Reviewed-on: https://skia-review.googlesource.com/110260 Commit-Queue: Mike Klein <mtklein@chromium.org> Reviewed-by: Kevin Lubick <kjlubick@google.com>
author: Mike Klein <mtklein@chromium.org> 2018-02-26 11:56:30 -0500
committer: Skia Commit-Bot <skia-commit-bot@chromium.org> 2018-02-26 18:27:58 +0000
commit: ec84612c09ec60a93d7a736e6b0818cab6a5c8ec (patch)
tree: 2b153b3536118d4fe6928f7f0746f697abaa043c /src
parent: a77c253a1de8e7f1e8ba1614159101f0b5891547 (diff)
1 files changed, 8 insertions, 6 deletions
diff --git a/src/core/SkRasterPipelineBlitter.cpp b/src/core/SkRasterPipelineBlitter.cpp
index e926353426..0d45fa11b1 100644
--- a/src/core/SkRasterPipelineBlitter.cpp
+++ b/src/core/SkRasterPipelineBlitter.cpp
@@ -472,17 +472,19 @@ void SkRasterPipelineBlitter::blitMask(const SkMask& mask, const SkIRect& clip)
 
     std::function<void(size_t,size_t,size_t,size_t)>* blitter = nullptr;
     // Update fMaskPtr to point "into" this current mask, but lined up with fDstPtr at (0,0).
+    // mask.fRowBytes is a uint32_t, which would break our addressing math on 64-bit builds.
+    size_t rowBytes = mask.fRowBytes;
     switch (effectiveMaskFormat) {
         case SkMask::kA8_Format:
-            fMaskPtr.stride = mask.fRowBytes;
-            fMaskPtr.pixels = (uint8_t*)mask.fImage - mask.fBounds.left()
-                                                    - mask.fBounds.top() * fMaskPtr.stride;
+            fMaskPtr.stride = rowBytes;
+            fMaskPtr.pixels = (uint8_t*)(mask.fImage - mask.fBounds.left() * (size_t)1
+                                                     - mask.fBounds.top()  * rowBytes);
             blitter = &fBlitMaskA8;
             break;
         case SkMask::kLCD16_Format:
-            fMaskPtr.stride = mask.fRowBytes / 2;
-            fMaskPtr.pixels = (uint16_t*)mask.fImage - mask.fBounds.left()
-                                                     - mask.fBounds.top() * fMaskPtr.stride;
+            fMaskPtr.stride = rowBytes / 2;
+            fMaskPtr.pixels = (uint16_t*)(mask.fImage - mask.fBounds.left() * (size_t)2
+                                                      - mask.fBounds.top()  * rowBytes);
             blitter = &fBlitMaskLCD16;
             break;
         default:
author	Mike Klein <mtklein@chromium.org>	2018-02-26 11:56:30 -0500
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>	2018-02-26 18:27:58 +0000
commit	ec84612c09ec60a93d7a736e6b0818cab6a5c8ec (patch)
tree	2b153b3536118d4fe6928f7f0746f697abaa043c /src
parent	a77c253a1de8e7f1e8ba1614159101f0b5891547 (diff)