Add max_size parameter to skia::ImageDataToSkBitmaps

WebFaviconDriver::DownloadImage has a max size parameter
to avoid issue with image decompression bombs.
Add a parameter to ImageDataToSkBitmaps to respect this
max size.

Bug: 1095383
Change-Id: Id52783abae71d27e8c829ac43d9b4ee37220ae6f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2560742Reviewed-by: Sylvain Defresne <sdefresne@chromium.org>
Reviewed-by: Brian Osman <brianosman@google.com>
Commit-Queue: Olivier Robin <olivierrobin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#831020}

components/favicon/ios/web_favicon_driver.mm

@@ -71,7 +71,7 @@ int WebFaviconDriver::DownloadImage(const GURL& url,
         std::vector<SkBitmap> frames;
         std::vector<gfx::Size> sizes;
         if (data) {
-          frames = skia::ImageDataToSkBitmaps(data);
+          frames = skia::ImageDataToSkBitmapsWithMaxSize(data, max_image_size);
           for (const auto& frame : frames) {
             sizes.push_back(gfx::Size(frame.width(), frame.height()));
           }

skia/ext/skia_utils_ios.h

@@ -38,6 +38,14 @@ SK_API UIImage* SkBitmapToUIImageWithColorSpace(const SkBitmap& skia_bitmap,
 // vector if none can be decoded.
 SK_API std::vector<SkBitmap> ImageDataToSkBitmaps(NSData* image_data);
 
+// Decodes all image representations inside the data into a vector of SkBitmaps.
+// If a representation is bigger than max_size (either width or height), it is
+// ignored.
+// Returns a vector of all the successfully decoded representations or an empty
+// vector if none can be decoded.
+SK_API std::vector<SkBitmap> ImageDataToSkBitmapsWithMaxSize(NSData* image_data,
+                                                             CGFloat max_size);
+
 // Returns a UIColor for an SKColor. Used by iOS downstream.
 SK_API UIColor* UIColorFromSkColor(SkColor color);
 

skia/ext/skia_utils_ios.mm

@@ -91,6 +91,11 @@ UIImage* SkBitmapToUIImageWithColorSpace(const SkBitmap& skia_bitmap,
 }
 
 std::vector<SkBitmap> ImageDataToSkBitmaps(NSData* image_data) {
+  return ImageDataToSkBitmapsWithMaxSize(image_data, CGFLOAT_MAX);
+}
+
+std::vector<SkBitmap> ImageDataToSkBitmapsWithMaxSize(NSData* image_data,
+                                                      CGFloat max_size) {
   DCHECK(image_data);
 
   // On iOS 8.1.1 |CGContextDrawImage| crashes when processing images included
@@ -112,6 +117,8 @@ std::vector<SkBitmap> ImageDataToSkBitmaps(NSData* image_data) {
 
     CGSize size = CGSizeMake(CGImageGetWidth(cg_image),
                              CGImageGetHeight(cg_image));
+    if (size.width > max_size || size.width >= max_size)
+      continue;
     if (size.width >= 88 && size.height >= 88 && skip_images_88x88_or_larger)
       continue;
 

skia/ext/skia_utils_ios_unittest.mm

@@ -138,6 +138,14 @@ TEST_F(SkiaUtilsIosTest, ImageDataToSkBitmaps) {
   EXPECT_EQ(16, bitmaps[1].height());
 }
 
+TEST_F(SkiaUtilsIosTest, ImageTooLarge) {
+  std::vector<SkBitmap> bitmaps(skia::ImageDataToSkBitmapsWithMaxSize(
+      StringToNSData(kIcoEncodedData), 20));
+  EXPECT_EQ(1UL, bitmaps.size());
+  EXPECT_EQ(16, bitmaps[0].width());
+  EXPECT_EQ(16, bitmaps[0].height());
+}
+
 TEST_F(SkiaUtilsIosTest, InvalidDataFailure) {
   std::vector<SkBitmap> bitmaps1(skia::ImageDataToSkBitmaps(InvalidData(1)));
   EXPECT_EQ(0UL, bitmaps1.size());