Fix potential bad address read in RasterDecoderImpl

ClusterFuzz found a potential bad address read in
RasterDecoderImpl::DoWritePixelsINTERNAL when |row_bytes| <
SkImageInfo::minRowBytes() for the image. This CL enforces that
minimum size on the client and service sides of the command.

Bug: 1087921
Change-Id: Id4e95adb7a1be9d9b5d0d6640b8b8780a580b7be
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2238847Reviewed-by: Khushal <khushalsagar@chromium.org>
Commit-Queue: Nathan Zabriskie <nazabris@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#776850}

gpu/command_buffer/client/raster_implementation.cc

@@ -1120,6 +1120,8 @@ void RasterImplementation::WritePixels(const gpu::Mailbox& dest_mailbox,
                                        GLuint row_bytes,
                                        const SkImageInfo& src_info,
                                        const void* src_pixels) {
+  DCHECK_GE(row_bytes, src_info.minRowBytes());
+
   // Get the size of the SkColorSpace while maintaining 8-byte alignment.
   GLuint pixels_offset = 0;
   if (src_info.colorSpace()) {

gpu/command_buffer/service/raster_decoder.cc

@@ -2304,6 +2304,13 @@ void RasterDecoderImpl::DoWritePixelsINTERNAL(GLint x_offset,
       src_width, src_height, static_cast<SkColorType>(src_sk_color_type),
       static_cast<SkAlphaType>(src_sk_alpha_type), std::move(color_space));
 
+  if (row_bytes < src_info.minRowBytes()) {
+    LOCAL_SET_GL_ERROR(GL_INVALID_VALUE, "glWritePixels",
+                       "row_bytes be >= "
+                       "SkImageInfo::minRowBytes() for source image.");
+    return;
+  }
+
   std::vector<GrBackendSemaphore> begin_semaphores;
   std::vector<GrBackendSemaphore> end_semaphores;