From 8a4e9c51f4ef57f9a1d5d128e778657d96f14e53 Mon Sep 17 00:00:00 2001
From: Matt Sarett <msarett@google.com>
Date: Tue, 25 Oct 2016 14:24:50 -0400
Subject: SkGifCodec: do not write off the end of memory when repeatCount > 1

BUG=skia:5887

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=3940

Change-Id: I9e3ed6153a73277896ac067ef73918a41a0546b8
Reviewed-on: https://skia-review.googlesource.com/3940
Reviewed-by: Leon Scroggins <scroggo@google.com>
Commit-Queue: Matt Sarett <msarett@google.com>
---
 resources/invalid_images/skbug5887.gif | Bin 0 -> 280 bytes
 src/codec/SkGifCodec.cpp               |   4 ++++
 tests/CodecTest.cpp                    |  13 +++++++++----
 3 files changed, 13 insertions(+), 4 deletions(-)
 create mode 100644 resources/invalid_images/skbug5887.gif

diff --git a/resources/invalid_images/skbug5887.gif b/resources/invalid_images/skbug5887.gif
new file mode 100644
index 0000000000..7d9987d132
Binary files /dev/null and b/resources/invalid_images/skbug5887.gif differ
diff --git a/src/codec/SkGifCodec.cpp b/src/codec/SkGifCodec.cpp
index 46a38cd34a..e7d8afdd07 100644
--- a/src/codec/SkGifCodec.cpp
+++ b/src/codec/SkGifCodec.cpp
@@ -464,6 +464,10 @@ bool SkGifCodec::haveDecodedRow(size_t frameIndex, const unsigned char* rowBegin
         if (!foundNecessaryRow) {
             return true;
         }
+    } else {
+        // Make sure the repeatCount does not take us beyond the end of the dst
+        SkASSERT(this->dstInfo().height() >= yBegin);
+        repeatCount = SkTMin(repeatCount, (unsigned) (this->dstInfo().height() - yBegin));
     }
 
     if (!fFilledBackground) {
diff --git a/tests/CodecTest.cpp b/tests/CodecTest.cpp
index 738e0cc91d..c171a7eac4 100644
--- a/tests/CodecTest.cpp
+++ b/tests/CodecTest.cpp
@@ -1429,9 +1429,14 @@ DEF_TEST(Codec_rowsDecoded, r) {
     REPORTER_ASSERT(r, rowsDecoded == 0);
 }
 
-DEF_TEST(Codec_IcoIntOverflow, r) {
-    // ASAN will complain if there is an issue.
+static void test_invalid_images(skiatest::Reporter* r, const char* path, bool shouldSucceed) {
     SkBitmap bitmap;
-    const bool success = GetResourceAsBitmap("invalid_images/int_overflow.ico", &bitmap);
-    REPORTER_ASSERT(r, !success);
+    const bool success = GetResourceAsBitmap(path, &bitmap);
+    REPORTER_ASSERT(r, success == shouldSucceed);
+}
+
+DEF_TEST(Codec_InvalidImages, r) {
+    // ASAN will complain if there is an issue.
+    test_invalid_images(r, "invalid_images/int_overflow.ico", false);
+    test_invalid_images(r, "invalid_images/skbug5887.gif", true);
 }
-- 
cgit v1.2.3