From d894c59881d1172f98981fa0da7a675cbd7130b8 Mon Sep 17 00:00:00 2001
From: Leon Scroggins III <scroggo@google.com>
Date: Wed, 22 Jan 2020 14:18:12 -0500
Subject: AImageDecoder: ensure that stride is pixel aligned

Bug: 147749998
Test: I902de3410c45a21cf27b48a02cdc5d514b7ada60

If the client uses a stride that is not pixel aligned, AImageDecoder
will crash internally trying to access the memory. Return a failure
instead of crashing. Rely on SkImageInfo to compute the minimum size
required, too.

Change-Id: Ia4d14d6209e6f4af74906ff43208fa83ac82cbcd
---
 native/graphics/jni/imagedecoder.cpp | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

(limited to 'native')

diff --git a/native/graphics/jni/imagedecoder.cpp b/native/graphics/jni/imagedecoder.cpp
index 51439672d404..c3b3bf3e2f17 100644
--- a/native/graphics/jni/imagedecoder.cpp
+++ b/native/graphics/jni/imagedecoder.cpp
@@ -289,11 +289,9 @@ int AImageDecoder_decodeImage(AImageDecoder* decoder,
 
     ImageDecoder* imageDecoder = toDecoder(decoder);
 
-    const int height = imageDecoder->getOutputInfo().height();
-    const size_t minStride = AImageDecoder_getMinimumStride(decoder);
-    // If this calculation were to overflow, it would have been caught in
-    // setTargetSize.
-    if (stride < minStride || size < stride * (height - 1) + minStride) {
+    SkImageInfo info = imageDecoder->getOutputInfo();
+    size_t minSize = info.computeByteSize(stride);
+    if (SkImageInfo::ByteSizeOverflowed(minSize) || size < minSize || !info.validRowBytes(stride)) {
         return ANDROID_IMAGE_DECODER_BAD_PARAMETER;
     }
 
-- 
cgit v1.2.3