use 64bit math in TArray realloc
Bug: oss-fuzz:8217
Change-Id: Idecd1867e7047744477c7dfbb6c9bc5654a36ade
Reviewed-on: https://skia-review.googlesource.com/127324
Reviewed-by: Brian Salomon <bsalomon@google.com>
Commit-Queue: Mike Reed <reed@google.com>
diff --git a/include/private/SkTArray.h b/include/private/SkTArray.h
index 68dab9a..c9bee99 100644
--- a/include/private/SkTArray.h
+++ b/include/private/SkTArray.h
@@ -8,6 +8,7 @@
#ifndef SkTArray_DEFINED
#define SkTArray_DEFINED
+#include "../private/SkSafe32.h"
#include "../private/SkTLogic.h"
#include "../private/SkTemplates.h"
#include "SkTypes.h"
@@ -516,7 +517,8 @@
SkASSERT(fAllocCount >= 0);
SkASSERT(-delta <= fCount);
- int newCount = fCount + delta;
+ // Move into 64bit math temporarily, to avoid local overflows
+ int64_t newCount = fCount + delta;
// We allow fAllocCount to be in the range [newCount, 3*newCount]. We also never shrink
// when we're currently using preallocated memory, would allocate less than
@@ -527,8 +529,9 @@
return;
}
+
// Whether we're growing or shrinking, we leave at least 50% extra space for future growth.
- int newAllocCount = newCount + ((newCount + 1) >> 1);
+ int64_t newAllocCount = newCount + ((newCount + 1) >> 1);
// Align the new allocation count to kMinHeapAllocCount.
static_assert(SkIsPow2(kMinHeapAllocCount), "min alloc count not power of two.");
newAllocCount = (newAllocCount + (kMinHeapAllocCount - 1)) & ~(kMinHeapAllocCount - 1);
@@ -536,7 +539,9 @@
if (newAllocCount == fAllocCount) {
return;
}
- fAllocCount = newAllocCount;
+
+ fAllocCount = Sk64_pin_to_s32(newAllocCount);
+ SkASSERT(fAllocCount >= newCount);
void* newMemArray = sk_malloc_throw(fAllocCount, sizeof(T));
this->move(newMemArray);
if (fOwnMemory) {