DivestOS/Patches/LineageOS-14.1/android_external_skia/410675.patch

51 lines
1.6 KiB
Diff
Raw Normal View History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ben Wagner <bungeman@google.com>
Date: Mon, 12 Aug 2024 15:00:08 -0400
Subject: [PATCH] Bounds check in skia_alloc_func
The allocator callback for zlib needs to check that items * size will
fit in size_t and return nullptr if not.
Conflicts:
- src/pdf/SkDeflate.cpp: just in header includes
Bug: 349678452
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/888996
Commit-Queue: Ben Wagner <bungeman@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:94b46e52960ec84a69304ea058fd928e3de6fa56)
Merged-In: Id1a30592d435bd0de4630e7047f26b0dc17654fc
Change-Id: Id1a30592d435bd0de4630e7047f26b0dc17654fc
Change-Id: I1c198cb3586db94b45d6f6592fac9c0dc9f19f23
---
src/pdf/SkDeflate.cpp | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/pdf/SkDeflate.cpp b/src/pdf/SkDeflate.cpp
index 3ae0d46068..2cc38bb9b7 100644
--- a/src/pdf/SkDeflate.cpp
+++ b/src/pdf/SkDeflate.cpp
@@ -10,6 +10,7 @@
#include "SkData.h"
#include "SkDeflate.h"
#include "SkStream.h"
+#include "SkTFitsIn.h"
#ifdef ZLIB_INCLUDE
#include ZLIB_INCLUDE
@@ -22,6 +23,13 @@ namespace {
// Different zlib implementations use different T.
// We've seen size_t and unsigned.
template <typename T> void* skia_alloc_func(void*, T items, T size) {
+ if (!SkTFitsIn<size_t>(size)) {
+ return nullptr;
+ }
+ const size_t maxItems = SIZE_MAX / size;
+ if (maxItems < items) {
+ return nullptr;
+ }
return sk_calloc_throw(SkToSizeT(items) * SkToSizeT(size));
}