Fix image decoder memory overwrite bug.

In SkPNGImageDecoder::onDecodeSubset, use png_read_rows to write to the scratch memory provided. This is what we should have been doing anyway. Further, writing directly to the bitmap can cause writing to the wrong memory since the bitmap may not be as big as the scratch memory in the case of sampling with a short bitmap. Bug=b/13921093 R=djsollen@google.com Author: scroggo@google.com Review URL: https://codereview.chromium.org/423473003
2014-07-25 13:54:43 -07:00 · 2014-07-25 13:54:43 -07:00 · fc7063b3a5
commit fc7063b3a5
parent d6aeb6dc8f
1 changed files with 2 additions and 4 deletions
--- a/src/images/SkImageDecoder_libpng.cpp
+++ b/src/images/SkImageDecoder_libpng.cpp
@ -911,8 +911,7 @@ bool SkPNGImageDecoder::onDecodeSubset(SkBitmap* bm, const SkIRect& region) {
            for (int i = 0; i < number_passes; i++) {
                png_configure_decoder(png_ptr, &actualTop, i);
                for (int j = 0; j < rect.fTop - actualTop; j++) {
-                    uint8_t* bmRow = (uint8_t*)decodedBitmap.getPixels();
-                    png_read_rows(png_ptr, &bmRow, png_bytepp_NULL, 1);
+                    png_read_rows(png_ptr, &base, png_bytepp_NULL, 1);
                }
                uint8_t* row = base;
                for (int32_t y = 0; y < rect.height(); y++) {
@ -935,8 +934,7 @@ bool SkPNGImageDecoder::onDecodeSubset(SkBitmap* bm, const SkIRect& region) {
            skip_src_rows(png_ptr, srcRow, sampler.srcY0());

            for (int i = 0; i < rect.fTop - actualTop; i++) {
-                uint8_t* bmRow = (uint8_t*)decodedBitmap.getPixels();
-                png_read_rows(png_ptr, &bmRow, png_bytepp_NULL, 1);
+                png_read_rows(png_ptr, &srcRow, png_bytepp_NULL, 1);
            }
            for (int y = 0; y < height; y++) {
                uint8_t* tmp = srcRow;