Fix out of bounds memory write in SkGifCodec
Follow on to 5860. When computing left and top, divide by the sample
size directly rather than using get_scaled_dimension, which promotes
0 to 1, potentially moving the area to clear outside the bounds of
the image.
BUG=skia:6046
Change-Id: I87c3fe88fadb400743174af9f9a277acd4fbc279
Reviewed-on: https://skia-review.googlesource.com/5924
Reviewed-by: Matt Sarett <msarett@google.com>
Commit-Queue: Leon Scroggins <scroggo@google.com>
diff --git a/src/codec/SkGifCodec.cpp b/src/codec/SkGifCodec.cpp
index 618a5b5..7b07f2a 100644
--- a/src/codec/SkGifCodec.cpp
+++ b/src/codec/SkGifCodec.cpp
@@ -421,8 +421,11 @@
if (prevFrame->getDisposalMethod() == SkCodecAnimation::RestoreBGColor_DisposalMethod) {
SkIRect prevRect = prevFrame->frameRect();
if (prevRect.intersect(this->getInfo().bounds())) {
- auto left = get_scaled_dimension(prevRect.fLeft, fSwizzler->sampleX());
- auto top = get_scaled_dimension(prevRect.fTop, fSwizzler->sampleY());
+ // Do the divide ourselves for left and top, since we do not want
+ // get_scaled_dimension to upgrade 0 to 1. (This is similar to SkSampledCodec's
+ // sampling of the subset.)
+ auto left = prevRect.fLeft / fSwizzler->sampleX();
+ auto top = prevRect.fTop / fSwizzler->sampleY();
void* const eraseDst = SkTAddOffset<void>(fDst, top * fDstRowBytes
+ left * SkColorTypeBytesPerPixel(dstInfo.colorType()));
auto width = get_scaled_dimension(prevRect.width(), fSwizzler->sampleX());