Keep SkRasterPipelineSpriteBlitter's src/dst offset math in size_t

With big enough y and stride (e.g. 27 and ~20000000) the expression - bpp*x - bpp*y*fSrcPtr.stride can underflow, and cause mayhem. Bug: chromium:797796 Change-Id: Ifc412230c4c7eadfcd36446113be9ac1753b5b1c Reviewed-on: https://skia-review.googlesource.com/99343 Reviewed-by: Mike Reed <reed@google.com> Commit-Queue: Mike Klein <mtklein@chromium.org>
2018-01-24 15:36:35 -05:00 · 2018-01-24 15:36:35 -05:00 · 548d387ab9
commit 548d387ab9
parent 678f6b1a55
1 changed files with 8 additions and 4 deletions
--- a/src/core/SkBlitter_Sprite.cpp
+++ b/src/core/SkBlitter_Sprite.cpp
@ -142,11 +142,15 @@ public:
    }

    void blitRect(int x, int y, int width, int height) override {
-        int bpp = fSource.info().bytesPerPixel();
-
        fSrcPtr.stride = fSource.rowBytesAsPixels();
-        fSrcPtr.pixels = (char*)fSource.addr(x-fLeft, y-fTop) - bpp * x
-                                                              - bpp * y * fSrcPtr.stride;
+
+        // We really want fSrcPtr.pixels = fSource.addr(-fLeft, -fTop) here, but that asserts.
+        // Instead we ask for addr(-fLeft+x, -fTop+y), then back up (x,y) manually.
+        // Representing bpp as a size_t keeps all this math in size_t instead of int,
+        // which could wrap around with large enough fSrcPtr.stride and y.
+        size_t bpp = fSource.info().bytesPerPixel();
+        fSrcPtr.pixels = (char*)fSource.addr(-fLeft+x, -fTop+y) - bpp * x
+                                                                - bpp * y * fSrcPtr.stride;

        fBlitter->blitRect(x,y,width,height);
    }