Handle size_t addition overflow in GrCpuBuffer::Make

Bug: chromium:990570
Change-Id: I444445aafd8b9d495e45b7eb3b0c78d59d78ecc6
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/234576
Reviewed-by: Brian Osman <brianosman@google.com>
Commit-Queue: Brian Salomon <bsalomon@google.com>

src/gpu/GrCpuBuffer.h

@@ -8,6 +8,7 @@
 #ifndef GrCpuBuffer_DEFINED
 #define GrCpuBuffer_DEFINED
 
+#include "src/core/SkSafeMath.h"
 #include "src/gpu/GrBuffer.h"
 #include "src/gpu/GrNonAtomicRef.h"
 
@@ -15,7 +16,12 @@ class GrCpuBuffer final : public GrNonAtomicRef<GrCpuBuffer>, public GrBuffer {
 public:
     static sk_sp<GrCpuBuffer> Make(size_t size) {
         SkASSERT(size > 0);
-        auto mem = ::operator new(sizeof(GrCpuBuffer) + size);
+        SkSafeMath sm;
+        size_t combinedSize = sm.add(sizeof(GrCpuBuffer), size);
+        if (!sm.ok()) {
+            SK_ABORT("Buffer size is too big.");
+        }
+        auto mem = ::operator new(combinedSize);
         return sk_sp<GrCpuBuffer>(new (mem) GrCpuBuffer((char*)mem + sizeof(GrCpuBuffer), size));
     }