commit ef74fa189b738e13295d6a96f86a6e10223505a8
author commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> Tue Dec 17 20:49:46 2013 +0000
committer commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> Tue Dec 17 20:49:46 2013 +0000
tree 3434cb996555b725b71a520a93c8781923bc04ec
parent 7d0b6131918c1b8d458a95f6b5e79f92f958b78f

Fixed more fuzzer issues

- Added the "isAvailable" function to check how much bytes are remaining in the stream before doing potentially large mallocs. That way, we can signal a bad stream instead of crashing.
- Added data validation in SkImageInfo.cpp
- Added NULL pointer check in displacement
- Modified the fuzzer for randomized bitmap types

BUG=328934,329254
R=senorblanco@google.com, senorblanco@chromium.org, reed@google.com, sugoi@google.com

Author: sugoi@chromium.org

Review URL: https://codereview.chromium.org/116773002

git-svn-id: http://skia.googlecode.com/svn/trunk@12723 2bbb7eff-a529-9590-31e7-b0007b416f81

src/effects/gradients/SkGradientShader.cpp

diff --git a/src/effects/gradients/SkGradientShader.cpp b/src/effects/gradients/SkGradientShader.cpp
index 5d200d1..6925ad2 100644
--- a/src/effects/gradients/SkGradientShader.cpp
+++ b/src/effects/gradients/SkGradientShader.cpp
@@ -154,8 +154,13 @@
 
     int colorCount = fColorCount = buffer.getArrayCount();
     if (colorCount > kColorStorageCount) {
-        size_t size = sizeof(SkColor) + sizeof(SkPMColor) + sizeof(Rec);
-        fOrigColors = (SkColor*)sk_malloc_throw(size * colorCount);
+        size_t allocSize = (sizeof(SkColor) + sizeof(SkPMColor) + sizeof(Rec)) * colorCount;
+        if (buffer.validateAvailable(allocSize)) {
+            fOrigColors = reinterpret_cast<SkColor*>(sk_malloc_throw(allocSize));
+        } else {
+            fOrigColors =  NULL;
+            colorCount = fColorCount = 0;
+        }
     } else {
         fOrigColors = fStorage;
     }