Avoid bitmap overflow.

This ensures there are no circumstances under which the following memcpy could write beyond the end of the bitmap. Bug: 1144368 Change-Id: I2d41d9f059445c936387a25d9fe9b45818a3e649 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2511859 Commit-Queue: Adrian Taylor <adetaylor@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Reviewed-by: Sami Kyöstilä <skyostil@chromium.org> Cr-Commit-Position: refs/heads/master@{#822974}

Avoid bitmap overflow.
This ensures there are no circumstances under which the following memcpy could write beyond the end of the bitmap. Bug: 1144368 Change-Id: I2d41d9f059445c936387a25d9fe9b45818a3e649 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2511859 Commit-Queue: Adrian Taylor <adetaylor@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Reviewed-by: Sami Kyöstilä <skyostil@chromium.org> Cr-Commit-Position: refs/heads/master@{#822974}
e598fc59 · Adrian Taylor · Commit Bot · 3172eba8 · e598fc59
Commit e598fc59 authored Oct 31, 2020 by Adrian Taylor Committed by Commit Bot Oct 31, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

ui/gfx/android/java_bitmap.cc ui/gfx/android/java_bitmap.cc +3 -0

No files found.
--- a/ui/gfx/android/java_bitmap.cc
+++ b/ui/gfx/android/java_bitmap.cc
@@ -10,6 +10,7 @@
 #include "base/bits.h"
 #include "base/check_op.h"
 #include "base/notreached.h"
+#include "base/numerics/safe_conversions.h"
 #include "ui/gfx/geometry/size.h"
 #include "ui/gfx/gfx_jni_headers/BitmapHelper_jni.h"

@@ -86,6 +87,8 @@ ScopedJavaLocalRef<jobject> ConvertToJavaBitmap(const SkBitmap* skbitmap,
  JavaBitmap dst_lock(jbitmap);
  void* src_pixels = skbitmap->getPixels();
  void* dst_pixels = dst_lock.pixels();
+  CHECK_GE(base::checked_cast<size_t>(dst_lock.byte_count()),
+           skbitmap->computeByteSize());
  memcpy(dst_pixels, src_pixels, skbitmap->computeByteSize());

  return jbitmap;