From 160e93dc19cb498dd846f5ad7b1fd810910c7465 Mon Sep 17 00:00:00 2001
From: Kevin Lubick <kjlubick@google.com>
Date: Fri, 18 May 2018 11:32:33 -0400
Subject: Prevent SkMatrixConvolutionImageFilter from allocating large buffers
 it can't fill

Bug: skia:7937
Change-Id: I71a5673939b3d91864a4b788e1e3a520b0ee04dd
Reviewed-on: https://skia-review.googlesource.com/129179
Reviewed-by: Mike Klein <mtklein@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
---
 src/effects/SkMatrixConvolutionImageFilter.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/effects')

diff --git a/src/effects/SkMatrixConvolutionImageFilter.cpp b/src/effects/SkMatrixConvolutionImageFilter.cpp
index 2119a8b108..153c6f4c48 100644
--- a/src/effects/SkMatrixConvolutionImageFilter.cpp
+++ b/src/effects/SkMatrixConvolutionImageFilter.cpp
@@ -90,6 +90,9 @@ sk_sp<SkFlattenable> SkMatrixConvolutionImageFilter::CreateProc(SkReadBuffer& bu
     if (!buffer.validate(kernelArea == count)) {
         return nullptr;
     }
+    if (!buffer.validateCanReadN<SkScalar>(count)) {
+        return nullptr;
+    }
     SkAutoSTArray<16, SkScalar> kernel(count);
     if (!buffer.readScalarArray(kernel.get(), count)) {
         return nullptr;
@@ -103,6 +106,9 @@ sk_sp<SkFlattenable> SkMatrixConvolutionImageFilter::CreateProc(SkReadBuffer& bu
     TileMode tileMode = buffer.read32LE(kLast_TileMode);
     bool convolveAlpha = buffer.readBool();
 
+    if (!buffer.isValid()) {
+        return nullptr;
+    }
     return Make(kernelSize, kernel.get(), gain, bias, kernelOffset, tileMode,
                 convolveAlpha, common.getInput(0), &common.cropRect());
 }
-- 
cgit v1.2.3