CHECK that bitmaps from the renderer are N32 format in detection code

The detection code makes a COM SoftwareBitmap from an SkBitmap, and has
a DCHECK to verify the bitmap is N32 format, but the mojom allows other
formats. We add CHECKs to ensure that a malicious renderer can not
produce an incorrectly sized Buffer.

R=reillyg@chromium.org

Bug: 1156854
Change-Id: Iecfddbf4512f69bb7102378379ff7129426c488a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2580027Reviewed-by: Reilly Grant <reillyg@chromium.org>
Commit-Queue: danakj <danakj@chromium.org>
Cr-Commit-Position: refs/heads/master@{#834971}

services/shape_detection/detection_utils_win.cc

@@ -20,11 +20,17 @@ ComPtr<ISoftwareBitmap> CreateWinBitmapFromSkBitmap(
     const SkBitmap& bitmap,
     ISoftwareBitmapStatics* bitmap_factory) {
   DCHECK(bitmap_factory);
-  DCHECK_EQ(bitmap.colorType(), kN32_SkColorType);
   if (!base::CheckedNumeric<uint32_t>(bitmap.computeByteSize()).IsValid()) {
     DLOG(ERROR) << "Data overflow.";
     return nullptr;
   }
+  // CreateCopyFromBuffer() assumes the pixels we pass in are 32bits each and
+  // are tightly packed. Receiving a bitmap of a different bits-per-pixel would
+  // create a buffer overflow. The `pixel_format` we use below assumes the
+  // format of the bitmap is N32.
+  CHECK_EQ(bitmap.colorType(), kN32_SkColorType);
+  CHECK_EQ(4, bitmap.info().bytesPerPixel());
+  CHECK_EQ(bitmap.rowBytes(), bitmap.width() * static_cast<size_t>(4));
 
   // Create IBuffer from bitmap data.
   ComPtr<ABI::Windows::Storage::Streams::IBuffer> buffer;