AuroraMiddleware/skia2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixing possible out of bound memory access

Browse Source 
This was a bug found by ASAN. When width is very small, we can have something like width == 1 and rowBytes == 8. Using "2 * yWidth" (2) would be smaller than rowBytesY (8), so we could read memory out of bounds. This issue has a separate fix in blink (crbug.com/458861).

BUG=skia:

Review URL: https://codereview.chromium.org/936133003
This commit is contained in:
sugoi 2015-02-19 05:32:08 -08:00 committed by Commit bot
parent cd87c51de6
commit f421ec6cc9
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/images/SkImageDecoder_libjpeg.cpp
View File

@ -798,11 +798,11 @@ static bool output_raw_data(jpeg_decompress_struct& cinfo, void* planes[3], size
size_t rowBytesV = rowBytes[2]; size_t rowBytesV = rowBytes[2];
int yScanlinesToRead = DCTSIZE * v; int yScanlinesToRead = DCTSIZE * v;
SkAutoMalloc lastRowStorage(yWidth * 8); SkAutoMalloc lastRowStorage(rowBytesY * 4);
JSAMPROW yLastRow = (JSAMPROW)lastRowStorage.get(); JSAMPROW yLastRow = (JSAMPROW)lastRowStorage.get();
JSAMPROW uLastRow = yLastRow + 2 * yWidth; JSAMPROW uLastRow = yLastRow + rowBytesY;
JSAMPROW vLastRow = uLastRow + 2 * yWidth; JSAMPROW vLastRow = uLastRow + rowBytesY;
JSAMPROW dummyRow = vLastRow + 2 * yWidth; JSAMPROW dummyRow = vLastRow + rowBytesY;
while (cinfo.output_scanline < cinfo.output_height) { while (cinfo.output_scanline < cinfo.output_height) {
// Request 8 or 16 scanlines: returns 0 or more scanlines. // Request 8 or 16 scanlines: returns 0 or more scanlines.