From ca3861669b4507ab9295370ee14d4f1d6b87e0c2 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sun, 17 Feb 2019 22:11:40 +0100 Subject: Skia: Validate allocation size in GrBufferAllocPool using SkSafeMath. Upstream port of commit 7469a9341afab19271b8ef07af5c16a0f2c4ccc1 --- gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'gfx/skia') diff --git a/gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp b/gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp index 993e1c59dc..c6097b03bb 100644 --- a/gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp +++ b/gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp @@ -152,13 +152,18 @@ void* GrBufferAllocPool::makeSpace(size_t size, BufferBlock& back = fBlocks.back(); size_t usedBytes = back.fBuffer->gpuMemorySize() - back.fBytesFree; size_t pad = GrSizeAlignUpPad(usedBytes, alignment); - if ((size + pad) <= back.fBytesFree) { + SkSafeMath safeMath; + size_t alignedSize = safeMath.add(pad, size); + if (!safeMath.ok()) { + return nullptr; + } + if (alignedSize <= back.fBytesFree) { memset((void*)(reinterpret_cast(fBufferPtr) + usedBytes), 0, pad); usedBytes += pad; *offset = usedBytes; *buffer = back.fBuffer; - back.fBytesFree -= size + pad; - fBytesInUse += size + pad; + back.fBytesFree -= alignedSize; + fBytesInUse += alignedSize; VALIDATE(); return (void*)(reinterpret_cast(fBufferPtr) + usedBytes); } -- cgit v1.2.3