diff options
| author | Leon Scroggins III <scroggo@google.com> | 2015-04-23 15:53:24 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-04-23 15:53:24 +0000 |
| commit | 16ac8ad7fac73524b5296f955884bd2aec405ded (patch) | |
| tree | 9e249b41c6fe8be388a7388d3ab71ed08f063117 /core | |
| parent | 17bb697b3bce1b23137553829dd62e0e7c16b472 (diff) | |
| parent | 4a6ca6724c789603626d74a8cc187365788a6cfd (diff) | |
| download | frameworks_base-16ac8ad7fac73524b5296f955884bd2aec405ded.zip frameworks_base-16ac8ad7fac73524b5296f955884bd2aec405ded.tar.gz frameworks_base-16ac8ad7fac73524b5296f955884bd2aec405ded.tar.bz2 | |
am 4a6ca672: Make Bitmap_createFromParcel check the color count. DO NOT MERGE
* commit '4a6ca6724c789603626d74a8cc187365788a6cfd':
Make Bitmap_createFromParcel check the color count. DO NOT MERGE
Diffstat (limited to 'core')
| -rwxr-xr-x | core/jni/android/graphics/Bitmap.cpp | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/core/jni/android/graphics/Bitmap.cpp b/core/jni/android/graphics/Bitmap.cpp index 70cf9a8..4785f05 100755 --- a/core/jni/android/graphics/Bitmap.cpp +++ b/core/jni/android/graphics/Bitmap.cpp @@ -575,24 +575,33 @@ static jobject Bitmap_createFromParcel(JNIEnv* env, jobject, jobject parcel) { return NULL; } - SkBitmap* bitmap = new SkBitmap; + SkAutoTDelete<SkBitmap> bitmap(new SkBitmap); - bitmap->setInfo(SkImageInfo::Make(width, height, colorType, alphaType), rowBytes); + if (!bitmap->setInfo(SkImageInfo::Make(width, height, colorType, alphaType), rowBytes)) { + return NULL; + } SkColorTable* ctable = NULL; if (colorType == kIndex_8_SkColorType) { int count = p->readInt32(); + if (count < 0 || count > 256) { + // The data is corrupt, since SkColorTable enforces a value between 0 and 256, + // inclusive. + return NULL; + } if (count > 0) { size_t size = count * sizeof(SkPMColor); const SkPMColor* src = (const SkPMColor*)p->readInplace(size); + if (src == NULL) { + return NULL; + } ctable = new SkColorTable(src, count); } } - jbyteArray buffer = GraphicsJNI::allocateJavaPixelRef(env, bitmap, ctable); + jbyteArray buffer = GraphicsJNI::allocateJavaPixelRef(env, bitmap.get(), ctable); if (NULL == buffer) { SkSafeUnref(ctable); - delete bitmap; return NULL; } @@ -604,7 +613,6 @@ static jobject Bitmap_createFromParcel(JNIEnv* env, jobject, jobject parcel) { android::status_t status = p->readBlob(size, &blob); if (status) { doThrowRE(env, "Could not read bitmap from parcel blob."); - delete bitmap; return NULL; } @@ -614,8 +622,8 @@ static jobject Bitmap_createFromParcel(JNIEnv* env, jobject, jobject parcel) { blob.release(); - return GraphicsJNI::createBitmap(env, bitmap, buffer, getPremulBitmapCreateFlags(isMutable), - NULL, NULL, density); + return GraphicsJNI::createBitmap(env, bitmap.detach(), buffer, + getPremulBitmapCreateFlags(isMutable), NULL, NULL, density); } static jboolean Bitmap_writeToParcel(JNIEnv* env, jobject, |