diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/images/SkImageDecoder_libpng.cpp | 17 | ||||
| -rw-r--r-- | src/ports/SkFontHost_FreeType.cpp | 9 |
2 files changed, 22 insertions, 4 deletions
diff --git a/src/images/SkImageDecoder_libpng.cpp b/src/images/SkImageDecoder_libpng.cpp index 1d1dd34433..9c0b48d98f 100644 --- a/src/images/SkImageDecoder_libpng.cpp +++ b/src/images/SkImageDecoder_libpng.cpp @@ -259,7 +259,20 @@ bool SkPNGImageDecoder::onDecode(SkStream* sk_stream, SkBitmap* decodedBitmap, } } } - + + // sanity check for size + { + Sk64 size; + size.setMul(origWidth, origHeight); + if (size.isNeg() || !size.is32()) { + return false; + } + // now check that if we are 4-bytes per pixel, we also don't overflow + if (size.get32() > (0x7FFFFFFF >> 2)) { + return false; + } + } + if (!this->chooseFromOneChoice(config, origWidth, origHeight)) { return false; } @@ -396,7 +409,7 @@ bool SkPNGImageDecoder::onDecode(SkStream* sk_stream, SkBitmap* decodedBitmap, SkAutoMalloc storage(origWidth * origHeight * srcBytesPerPixel); uint8_t* base = (uint8_t*)storage.get(); size_t rb = origWidth * srcBytesPerPixel; - + for (int i = 0; i < number_passes; i++) { uint8_t* row = base; for (png_uint_32 y = 0; y < origHeight; y++) { diff --git a/src/ports/SkFontHost_FreeType.cpp b/src/ports/SkFontHost_FreeType.cpp index 94d5b4b294..556b307241 100644 --- a/src/ports/SkFontHost_FreeType.cpp +++ b/src/ports/SkFontHost_FreeType.cpp @@ -750,6 +750,7 @@ void SkScalerContext_FreeType::generateFontMetrics(SkPaint::FontMetrics* mx, SkAutoMutexAcquire ac(gFTMutex); if (this->setupSize()) { + ERROR: if (mx) { bzero(mx, sizeof(SkPaint::FontMetrics)); } @@ -759,10 +760,14 @@ void SkScalerContext_FreeType::generateFontMetrics(SkPaint::FontMetrics* mx, return; } + FT_Face face = fFace; + int upem = face->units_per_EM; + if (upem <= 0) { + goto ERROR; + } + SkPoint pts[6]; SkFixed ys[6]; - FT_Face face = fFace; - int upem = face->units_per_EM; SkFixed scaleY = fScaleY; SkFixed mxy = fMatrix22.xy; SkFixed myy = fMatrix22.yy; |