Fixing possible out of bound memory access

This was a bug found by ASAN. When width is very small, we can have something like width == 1 and rowBytes == 8. Using "2 * yWidth" (2) would be smaller than rowBytesY (8), so we could read memory out of bounds. This issue has a separate fix in blink (crbug.com/458861). BUG=skia: Review URL: https://codereview.chromium.org/936133003
author: sugoi <sugoi@chromium.org> 2015-02-19 05:32:08 -0800
committer: Commit bot <commit-bot@chromium.org> 2015-02-19 05:32:09 -0800
commit: f421ec6cc9c8f32d717b9b1df71fd9e79817a16c (patch)
tree: 14284d46a64e0669e21f16d67306a7bcf122eb3e /src
parent: cd87c51de6bf81ed232b5d828c88771829c0bf76 (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/src/images/SkImageDecoder_libjpeg.cpp b/src/images/SkImageDecoder_libjpeg.cpp
index 3c93e6177d..d32e2a21c9 100644
--- a/src/images/SkImageDecoder_libjpeg.cpp
+++ b/src/images/SkImageDecoder_libjpeg.cpp
@@ -798,11 +798,11 @@ static bool output_raw_data(jpeg_decompress_struct& cinfo, void* planes[3], size
     size_t rowBytesV = rowBytes[2];
 
     int yScanlinesToRead = DCTSIZE * v;
-    SkAutoMalloc lastRowStorage(yWidth * 8);
+    SkAutoMalloc lastRowStorage(rowBytesY * 4);
     JSAMPROW yLastRow = (JSAMPROW)lastRowStorage.get();
-    JSAMPROW uLastRow = yLastRow + 2 * yWidth;
-    JSAMPROW vLastRow = uLastRow + 2 * yWidth;
-    JSAMPROW dummyRow = vLastRow + 2 * yWidth;
+    JSAMPROW uLastRow = yLastRow + rowBytesY;
+    JSAMPROW vLastRow = uLastRow + rowBytesY;
+    JSAMPROW dummyRow = vLastRow + rowBytesY;
 
     while (cinfo.output_scanline < cinfo.output_height) {
         // Request 8 or 16 scanlines: returns 0 or more scanlines.
author	sugoi <sugoi@chromium.org>	2015-02-19 05:32:08 -0800
committer	Commit bot <commit-bot@chromium.org>	2015-02-19 05:32:09 -0800
commit	f421ec6cc9c8f32d717b9b1df71fd9e79817a16c (patch)
tree	14284d46a64e0669e21f16d67306a7bcf122eb3e /src
parent	cd87c51de6bf81ed232b5d828c88771829c0bf76 (diff)