Fixed a few places where uninitialized memory could have been read
Also added early exit in SkImageFilter's constructor to avoid attempting to deserialize all inputs once a bad input has been found. This avoids hanging if a filter pretends to have 1 billion inputs when that's just an error on the number of inputs read by the filter.
BUG=326206,326197,326229
R=senorblanco@chromium.org, senorblanco@google.com, reed@google.com, sugoi@google.com
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/106943002
git-svn-id: http://skia.googlecode.com/svn/trunk@12544 2bbb7eff-a529-9590-31e7-b0007b416f81
diff --git a/src/core/SkBitmap.cpp b/src/core/SkBitmap.cpp
index d2a308b..7e204f2 100644
--- a/src/core/SkBitmap.cpp
+++ b/src/core/SkBitmap.cpp
@@ -1557,8 +1557,11 @@
buffer.validate((width >= 0) && (height >= 0) && (rowBytes >= 0) &&
SkIsValidConfig(config) && validate_alphaType(config, alphaType));
- this->setConfig(config, width, height, rowBytes, alphaType);
- buffer.validate(fRowBytes >= (fWidth * fBytesPerPixel));
+ bool configIsValid = this->setConfig(config, width, height, rowBytes, alphaType);
+ // Note : Using (fRowBytes >= (fWidth * fBytesPerPixel)) in the following test can create false
+ // positives if the multiplication causes an integer overflow. Use the division instead.
+ buffer.validate(configIsValid && (fBytesPerPixel > 0) &&
+ ((fRowBytes / fBytesPerPixel) >= fWidth));
int reftype = buffer.readInt();
if (buffer.validate((SERIALIZE_PIXELTYPE_REF_DATA == reftype) ||