commit d1d4460547bcd76db7142cf9b6370dc952d459fc
author reed <reed@google.com> Thu Oct 01 11:21:57 2015 -0700
committer Commit bot <commit-bot@chromium.org> Thu Oct 01 11:21:57 2015 -0700
tree c3bb07a479e8157242473aedeb02c7df77586b8b
parent 3d8c33cd835054affab43ac8c96f349147d2e776

add hard-coded limit for tmp allocations when HQ image scaling

BUG=528628

Review URL: https://codereview.chromium.org/1368393003

src/core/SkBitmapScaler.cpp

diff --git a/src/core/SkBitmapScaler.cpp b/src/core/SkBitmapScaler.cpp
index 962fdce..965955a 100644
--- a/src/core/SkBitmapScaler.cpp
+++ b/src/core/SkBitmapScaler.cpp
@@ -245,11 +245,13 @@
       return false;
     }
 
-    BGRAConvolve2D(sourceSubset, static_cast<int>(source.rowBytes()),
-      !source.isOpaque(), filter.xFilter(), filter.yFilter(),
-      static_cast<int>(result.rowBytes()),
-      static_cast<unsigned char*>(result.getPixels()),
-      convolveProcs, true);
+    if (!BGRAConvolve2D(sourceSubset, static_cast<int>(source.rowBytes()),
+                        !source.isOpaque(), filter.xFilter(), filter.yFilter(),
+                        static_cast<int>(result.rowBytes()),
+                        static_cast<unsigned char*>(result.getPixels()),
+                        convolveProcs, true)) {
+        return false;
+    }
 
     *resultPtr = result;
     resultPtr->lockPixels();

src/core/SkConvolver.cpp

diff --git a/src/core/SkConvolver.cpp b/src/core/SkConvolver.cpp
index 3a088aa..72deeaf 100644
--- a/src/core/SkConvolver.cpp
+++ b/src/core/SkConvolver.cpp
@@ -3,6 +3,7 @@
 // found in the LICENSE file.
 
 #include "SkConvolver.h"
+#include "SkMath.h"
 #include "SkSize.h"
 #include "SkTypes.h"
 
@@ -358,7 +359,7 @@
     return &fFilterValues[filter.fDataLocation];
 }
 
-void BGRAConvolve2D(const unsigned char* sourceData,
+bool BGRAConvolve2D(const unsigned char* sourceData,
                     int sourceByteRowStride,
                     bool sourceHasAlpha,
                     const SkConvolutionFilter1D& filterX,
@@ -393,6 +394,20 @@
     int rowBufferWidth = (filterX.numValues() + 15) & ~0xF;
     int rowBufferHeight = maxYFilterSize +
                           (convolveProcs.fConvolve4RowsHorizontally ? 4 : 0);
+
+    // check for too-big allocation requests : crbug.com/528628
+    {
+        int64_t size = sk_64_mul(rowBufferWidth, rowBufferHeight);
+        // need some limit, to avoid over-committing success from malloc, but then
+        // crashing when we try to actually use the memory.
+        // 100meg seems big enough to allow "normal" zoom factors and image sizes through
+        // while avoiding the crash seen by the bug (crbug.com/528628)
+        if (size > 100 * 1024 * 1024) {
+//            SkDebugf("BGRAConvolve2D: tmp allocation [%lld] too big\n", size);
+            return false;
+        }
+    }
+
     CircularRowBuffer rowBuffer(rowBufferWidth,
                                 rowBufferHeight,
                                 filterOffset);
@@ -486,4 +501,5 @@
                                sourceHasAlpha);
         }
     }
+    return true;
 }

src/core/SkConvolver.h

diff --git a/src/core/SkConvolver.h b/src/core/SkConvolver.h
index 4e4d806..00305fa 100644
--- a/src/core/SkConvolver.h
+++ b/src/core/SkConvolver.h
@@ -193,7 +193,11 @@
 //
 // The layout in memory is assumed to be 4-bytes per pixel in B-G-R-A order
 // (this is ARGB when loaded into 32-bit words on a little-endian machine).
-SK_API void BGRAConvolve2D(const unsigned char* sourceData,
+/**
+ *  Returns false if it was unable to perform the convolution/rescale. in which case the output
+ *  buffer is assumed to be undefined.
+ */
+SK_API bool BGRAConvolve2D(const unsigned char* sourceData,
     int sourceByteRowStride,
     bool sourceHasAlpha,
     const SkConvolutionFilter1D& xfilter,