Fix integer overflow in BaseRenderingContext2D::PutByteArray

In PutByteArray, the available byte array to allocated is calculated by:
src_bytes_per_row = bytes_per_pixel *source_size.Width where
source_size.Width is int_32 and src_bytes_per_row is uint_32. It's
possible that src_bytes_per_row is valid and
bytes_per_pixel*source_size.Width return integer overflow.

In this cl, I added CheckMath for the assignment to src_bytes_per_row.

Bug: 1084404

Change-Id: Ib52006b03eb37d8ca969e5835538edde4bc7257b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2204831
Commit-Queue: Yi Xu <yiyix@chromium.org>
Reviewed-by: Fernando Serboncini <fserb@chromium.org>
Reviewed-by: Juanmi Huertas <juanmihd@chromium.org>
Cr-Commit-Position: refs/heads/master@{#771628}

third_party/blink/renderer/modules/canvas/canvas2d/base_rendering_context_2d.cc

@@ -8,6 +8,7 @@
 #include <cmath>
 #include <memory>
 
+#include "base/logging.h"
 #include "base/metrics/histogram_functions.h"
 #include "base/numerics/checked_math.h"
 #include "third_party/blink/public/common/features.h"
@@ -1836,7 +1837,13 @@ void BaseRenderingContext2D::PutByteArray(const unsigned char* source,
   DCHECK_GE(origin_y, 0);
   DCHECK_LT(origin_y, source_rect.MaxY());
 
-  const size_t src_bytes_per_row = bytes_per_pixel * source_size.Width();
+  const base::CheckedNumeric<size_t> src_bytes_per_row_checked =
+      base::CheckMul(bytes_per_pixel, source_size.Width());
+  if (!src_bytes_per_row_checked.IsValid()) {
+    VLOG(1) << "Invalid sizes";
+    return;
+  }
+  const size_t src_bytes_per_row = src_bytes_per_row_checked.ValueOrDie();
   const void* src_addr =
       source + origin_y * src_bytes_per_row + origin_x * bytes_per_pixel;