am 16ac8ad7: am 4a6ca672: Make Bitmap_createFromParcel check the color count. DO NOT MERGE

* commit '16ac8ad7fac73524b5296f955884bd2aec405ded': Make Bitmap_createFromParcel check the color count. DO NOT MERGE
author: Leon Scroggins III <scroggo@google.com> 2015-04-24 17:15:43 +0000
committer: Android Git Automerger <android-git-automerger@android.com> 2015-04-24 17:15:43 +0000
commit: 38cf068c04e1ce244529b95f6cc6d7d6a88fab24 (patch)
tree: 2ec4181e373c36426542590a83d3c2d3426ee85c
parent: 44fa5e71ab709c83af387958598f551583d6dbb0 (diff)
parent: 16ac8ad7fac73524b5296f955884bd2aec405ded (diff)
download: base-38cf068c04e1ce244529b95f6cc6d7d6a88fab24.tar.gz
1 files changed, 15 insertions, 7 deletions
diff --git a/core/jni/android/graphics/Bitmap.cpp b/core/jni/android/graphics/Bitmap.cpp
index d7eef6ed0cd3..30792180387f 100755
--- a/core/jni/android/graphics/Bitmap.cpp
+++ b/core/jni/android/graphics/Bitmap.cpp
@@ -575,24 +575,33 @@ static jobject Bitmap_createFromParcel(JNIEnv* env, jobject, jobject parcel) {
         return NULL;
     }
 
-    SkBitmap* bitmap = new SkBitmap;
+    SkAutoTDelete<SkBitmap> bitmap(new SkBitmap);
 
-    bitmap->setInfo(SkImageInfo::Make(width, height, colorType, alphaType), rowBytes);
+    if (!bitmap->setInfo(SkImageInfo::Make(width, height, colorType, alphaType), rowBytes)) {
+        return NULL;
+    }
 
     SkColorTable* ctable = NULL;
     if (colorType == kIndex_8_SkColorType) {
         int count = p->readInt32();
+        if (count < 0 || count > 256) {
+            // The data is corrupt, since SkColorTable enforces a value between 0 and 256,
+            // inclusive.
+            return NULL;
+        }
         if (count > 0) {
             size_t size = count * sizeof(SkPMColor);
             const SkPMColor* src = (const SkPMColor*)p->readInplace(size);
+            if (src == NULL) {
+                return NULL;
+            }
             ctable = new SkColorTable(src, count);
         }
     }
 
-    jbyteArray buffer = GraphicsJNI::allocateJavaPixelRef(env, bitmap, ctable);
+    jbyteArray buffer = GraphicsJNI::allocateJavaPixelRef(env, bitmap.get(), ctable);
     if (NULL == buffer) {
         SkSafeUnref(ctable);
-        delete bitmap;
         return NULL;
     }
 
@@ -604,7 +613,6 @@ static jobject Bitmap_createFromParcel(JNIEnv* env, jobject, jobject parcel) {
     android::status_t status = p->readBlob(size, &blob);
     if (status) {
         doThrowRE(env, "Could not read bitmap from parcel blob.");
-        delete bitmap;
         return NULL;
     }
 
@@ -614,8 +622,8 @@ static jobject Bitmap_createFromParcel(JNIEnv* env, jobject, jobject parcel) {
 
     blob.release();
 
-    return GraphicsJNI::createBitmap(env, bitmap, buffer, getPremulBitmapCreateFlags(isMutable),
-            NULL, NULL, density);
+    return GraphicsJNI::createBitmap(env, bitmap.detach(), buffer,
+            getPremulBitmapCreateFlags(isMutable), NULL, NULL, density);
 }
 
 static jboolean Bitmap_writeToParcel(JNIEnv* env, jobject,
author	Leon Scroggins III <scroggo@google.com>	2015-04-24 17:15:43 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	2015-04-24 17:15:43 +0000
commit	38cf068c04e1ce244529b95f6cc6d7d6a88fab24 (patch)
tree	2ec4181e373c36426542590a83d3c2d3426ee85c
parent	44fa5e71ab709c83af387958598f551583d6dbb0 (diff)
parent	16ac8ad7fac73524b5296f955884bd2aec405ded (diff)
download	base-38cf068c04e1ce244529b95f6cc6d7d6a88fab24.tar.gz