diff options
| author | Leon Scroggins III <scroggo@google.com> | 2015-04-23 15:48:12 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-04-23 15:48:12 +0000 |
| commit | a7501119e341626536ce12c3539c2f9a986a2945 (patch) | |
| tree | 1765d6a6dadeb53968993f687eb66a91274a386f | |
| parent | 545dd853bffbf778a0a44816ac6ed381b13f2158 (diff) | |
| parent | 69b8e962e1b8346b33a2c14889547a0ac00c8b17 (diff) | |
| download | frameworks_base-a7501119e341626536ce12c3539c2f9a986a2945.zip frameworks_base-a7501119e341626536ce12c3539c2f9a986a2945.tar.gz frameworks_base-a7501119e341626536ce12c3539c2f9a986a2945.tar.bz2 | |
am 69b8e962: Make Bitmap_createFromParcel check the color count. DO NOT MERGE
* commit '69b8e962e1b8346b33a2c14889547a0ac00c8b17':
Make Bitmap_createFromParcel check the color count. DO NOT MERGE
| -rw-r--r-- | core/jni/android/graphics/Bitmap.cpp | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/core/jni/android/graphics/Bitmap.cpp b/core/jni/android/graphics/Bitmap.cpp index 2125763..9992308 100644 --- a/core/jni/android/graphics/Bitmap.cpp +++ b/core/jni/android/graphics/Bitmap.cpp @@ -488,24 +488,33 @@ static jobject Bitmap_createFromParcel(JNIEnv* env, jobject, jobject parcel) { return NULL;
}
- SkBitmap* bitmap = new SkBitmap;
+ SkAutoTDelete<SkBitmap> bitmap(new SkBitmap);
- bitmap->setConfig(config, width, height, rowBytes);
+ if (!bitmap->setConfig(config, width, height, rowBytes)) {
+ return NULL;
+ }
SkColorTable* ctable = NULL;
if (config == SkBitmap::kIndex8_Config) {
int count = p->readInt32();
+ if (count < 0 || count > 256) {
+ // The data is corrupt, since SkColorTable enforces a value between 0 and 256,
+ // inclusive.
+ return NULL;
+ }
if (count > 0) {
size_t size = count * sizeof(SkPMColor);
const SkPMColor* src = (const SkPMColor*)p->readInplace(size);
+ if (src == NULL) {
+ return NULL;
+ }
ctable = new SkColorTable(src, count);
}
}
- jbyteArray buffer = GraphicsJNI::allocateJavaPixelRef(env, bitmap, ctable);
+ jbyteArray buffer = GraphicsJNI::allocateJavaPixelRef(env, bitmap.get(), ctable);
if (NULL == buffer) {
SkSafeUnref(ctable);
- delete bitmap;
return NULL;
}
@@ -517,7 +526,6 @@ static jobject Bitmap_createFromParcel(JNIEnv* env, jobject, jobject parcel) { android::status_t status = p->readBlob(size, &blob);
if (status) {
doThrowRE(env, "Could not read bitmap from parcel blob.");
- delete bitmap;
return NULL;
}
@@ -527,8 +535,8 @@ static jobject Bitmap_createFromParcel(JNIEnv* env, jobject, jobject parcel) { blob.release();
- return GraphicsJNI::createBitmap(env, bitmap, buffer, getPremulBitmapCreateFlags(isMutable),
- NULL, NULL, density);
+ return GraphicsJNI::createBitmap(env, bitmap.detach(), buffer,
+ getPremulBitmapCreateFlags(isMutable), NULL, NULL, density);
}
static jboolean Bitmap_writeToParcel(JNIEnv* env, jobject,
|