Cleanup issues related to SkBitmap getSize()/extractSubset().
Some minor revisions to do cleanup regarding getSize() and extractSubset(). All
are related to avoid read/write past end of the pixel buffer when getSize() is
used on a bitmap that is the result of a call to extractSubset().
git-svn-id: http://skia.googlecode.com/svn/trunk@835 2bbb7eff-a529-9590-31e7-b0007b416f81
diff --git a/src/core/SkBitmap.cpp b/src/core/SkBitmap.cpp
index 3e26639..a0ab52d 100644
--- a/src/core/SkBitmap.cpp
+++ b/src/core/SkBitmap.cpp
@@ -1321,7 +1321,14 @@
} else {
buffer.write8(SERIALIZE_PIXELTYPE_RAW_NO_CTABLE);
}
- buffer.writePad(fPixels, this->getSize());
+ buffer.writePad(fPixels, this->getSafeSize());
+ // There is no writeZeroPad() fcn, so write individual bytes.
+ if (this->getSize() > this->getSafeSize()) {
+ size_t deltaSize = this->getSize() - this->getSafeSize();
+ // Need aligned pointer to write into due to internal implementa-
+ // tion of SkWriter32.
+ memset(buffer.reserve(SkAlign4(deltaSize)), 0, deltaSize);
+ }
} else {
buffer.write8(SERIALIZE_PIXELTYPE_NONE);
}
@@ -1338,7 +1345,6 @@
this->setConfig((Config)config, width, height, rowBytes);
this->setIsOpaque(buffer.readBool());
- size_t size = this->getSize();
int reftype = buffer.readU8();
switch (reftype) {
case SERIALIZE_PIXELTYPE_REF_PTR: {
@@ -1360,10 +1366,13 @@
if (SERIALIZE_PIXELTYPE_RAW_WITH_CTABLE == reftype) {
ctable = SkNEW_ARGS(SkColorTable, (buffer));
}
+ size_t size = this->getSize();
if (this->allocPixels(ctable)) {
this->lockPixels();
- buffer.read(this->getPixels(), this->getSafeSize()); // Just read what we need.
- buffer.skip(size - this->getSafeSize()); // Keep aligned for subsequent reads.
+ // Just read what we need.
+ buffer.read(this->getPixels(), this->getSafeSize());
+ // Keep aligned for subsequent reads.
+ buffer.skip(size - this->getSafeSize());
this->unlockPixels();
} else {
buffer.skip(size); // Still skip the full-sized buffer though.