diff options
| author | Leon Scroggins III <scroggo@google.com> | 2015-05-21 09:48:15 -0400 |
|---|---|---|
| committer | Leon Scroggins III <scroggo@google.com> | 2015-05-21 12:20:26 -0400 |
| commit | 462dd010467fdf1ab0cb49e021a92d14f2163c8c (patch) | |
| tree | 7216d95676b4bfaef4a3b9e66f47ec28efa8f3f1 /core | |
| parent | d457c71eca2a0522793376a873dcdad318a2f798 (diff) | |
| download | frameworks_base-462dd010467fdf1ab0cb49e021a92d14f2163c8c.zip frameworks_base-462dd010467fdf1ab0cb49e021a92d14f2163c8c.tar.gz frameworks_base-462dd010467fdf1ab0cb49e021a92d14f2163c8c.tar.bz2 | |
Fix overflow in NinePatchImpl.
Cast numXDivs to a size_t before adding 1, so that if numXDivs is 255
it does not overflow. Move the calculation outside of alloca().
BUG:20727488
Change-Id: I2ecc9d650338acba7316554cb72195e02816b1f8
Diffstat (limited to 'core')
| -rw-r--r-- | core/jni/android/graphics/NinePatchImpl.cpp | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/core/jni/android/graphics/NinePatchImpl.cpp b/core/jni/android/graphics/NinePatchImpl.cpp index 323f832..978c4a5 100644 --- a/core/jni/android/graphics/NinePatchImpl.cpp +++ b/core/jni/android/graphics/NinePatchImpl.cpp @@ -180,7 +180,10 @@ void NinePatch_Draw(SkCanvas* canvas, const SkRect& bounds, const int bitmapWidth = bitmap.width(); const int bitmapHeight = bitmap.height(); - SkScalar* dstRights = (SkScalar*) alloca((numXDivs + 1) * sizeof(SkScalar)); + // Number of bytes needed for dstRights array. + // Need to cast numXDivs to a larger type to avoid overflow. + const size_t dstBytes = ((size_t) numXDivs + 1) * sizeof(SkScalar); + SkScalar* dstRights = (SkScalar*) alloca(dstBytes); bool dstRightsHaveBeenCached = false; int numStretchyXPixelsRemaining = 0; |