check for bad buffers in Unpack8 Bug:799918 Change-Id: I0502a487d67ce757bf818823cf0ad46b7703294c Reviewed-on: https://skia-review.googlesource.com/92841 Commit-Queue: Mike Reed <reed@google.com> Reviewed-by: Florin Malita <fmalita@chromium.org>

commit: fca3d0aba5a7d17dbf97082b6837e31ff2808b4f [log] [tgz]
author: Mike Reed <reed@google.com> Tue Jan 09 15:13:59 2018 -0500
committer: Skia Commit-Bot <skia-commit-bot@chromium.org> Tue Jan 09 20:41:17 2018 +0000
tree: 6283816eacb4841f60edb41ad091a2023726d5b2
parent: f00faa3f7fe1dc5300f063767a5fa59b74407e18 [diff] [blame]
diff --git a/src/effects/SkPackBits.cpp b/src/effects/SkPackBits.cpp
index 286d9d1..d2dfed9 100644
--- a/src/effects/SkPackBits.cpp
+++ b/src/effects/SkPackBits.cpp

@@ -88,13 +88,13 @@
         unsigned n = *src++;
         if (n <= 127) {   // repeat count (n + 1)
             n += 1;
-            if (dst >(endDst - n)) {
+            if (dst > (endDst - n) || src >= stop) {
                 return 0;
             }
             memset(dst, *src++, n);
         } else {    // same count (n - 127)
             n -= 127;
-            if (dst > (endDst - n)) {
+            if (dst > (endDst - n) || src > (stop - n)) {
                 return 0;
             }
             memcpy(dst, src, n);
@@ -103,5 +103,6 @@
         dst += n;
     }
     SkASSERT(src <= stop);
+    SkASSERT(dst <= endDst);
     return SkToInt(dst - origDst);
 }
commit	fca3d0aba5a7d17dbf97082b6837e31ff2808b4f	[log] [tgz]
author	Mike Reed <reed@google.com>	Tue Jan 09 15:13:59 2018 -0500
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>	Tue Jan 09 20:41:17 2018 +0000
tree	6283816eacb4841f60edb41ad091a2023726d5b2
parent	f00faa3f7fe1dc5300f063767a5fa59b74407e18 [diff] [blame]