AImageDecoder: ensure that stride is pixel aligned

Bug: 147749998 Test: I902de3410c45a21cf27b48a02cdc5d514b7ada60 If the client uses a stride that is not pixel aligned, AImageDecoder will crash internally trying to access the memory. Return a failure instead of crashing. Rely on SkImageInfo to compute the minimum size required, too. Change-Id: Ia4d14d6209e6f4af74906ff43208fa83ac82cbcd
author: Leon Scroggins III <scroggo@google.com> 2020-01-22 14:18:12 -0500
committer: Leon Scroggins III <scroggo@google.com> 2020-01-22 14:18:12 -0500
commit: d894c59881d1172f98981fa0da7a675cbd7130b8 (patch)
tree: 8b14f46d4dbc814dfdadcf01a786a71cd7e83cf1 /native
parent: 380f3c9ae622c7284d88afbab4732291b472f64b (diff)
1 files changed, 3 insertions, 5 deletions
diff --git a/native/graphics/jni/imagedecoder.cpp b/native/graphics/jni/imagedecoder.cpp
index 51439672d404..c3b3bf3e2f17 100644
--- a/native/graphics/jni/imagedecoder.cpp
+++ b/native/graphics/jni/imagedecoder.cpp
@@ -289,11 +289,9 @@ int AImageDecoder_decodeImage(AImageDecoder* decoder,
 
     ImageDecoder* imageDecoder = toDecoder(decoder);
 
-    const int height = imageDecoder->getOutputInfo().height();
-    const size_t minStride = AImageDecoder_getMinimumStride(decoder);
-    // If this calculation were to overflow, it would have been caught in
-    // setTargetSize.
-    if (stride < minStride || size < stride * (height - 1) + minStride) {
+    SkImageInfo info = imageDecoder->getOutputInfo();
+    size_t minSize = info.computeByteSize(stride);
+    if (SkImageInfo::ByteSizeOverflowed(minSize) || size < minSize || !info.validRowBytes(stride)) {
         return ANDROID_IMAGE_DECODER_BAD_PARAMETER;
     }
author	Leon Scroggins III <scroggo@google.com>	2020-01-22 14:18:12 -0500
committer	Leon Scroggins III <scroggo@google.com>	2020-01-22 14:18:12 -0500
commit	d894c59881d1172f98981fa0da7a675cbd7130b8 (patch)
tree	8b14f46d4dbc814dfdadcf01a786a71cd7e83cf1 /native
parent	380f3c9ae622c7284d88afbab4732291b472f64b (diff)