Merge from Chromium at DEPS revision 33.0.1750.22
This commit was generated by merge_to_master.py.
Change-Id: If3ffc5db2f0f726ea2d300ec9d8403dc37068efe
diff --git a/core/SkImageInfo.cpp b/core/SkImageInfo.cpp
index 461bdc0..967b4f6 100644
--- a/core/SkImageInfo.cpp
+++ b/core/SkImageInfo.cpp
@@ -8,6 +8,14 @@
#include "SkImageInfo.h"
#include "SkFlattenableBuffers.h"
+static bool alpha_type_is_valid(SkAlphaType alphaType) {
+ return (alphaType >= 0) && (alphaType <= kLastEnum_SkAlphaType);
+}
+
+static bool color_type_is_valid(SkColorType colorType) {
+ return (colorType >= 0) && (colorType <= kLastEnum_SkColorType);
+}
+
void SkImageInfo::unflatten(SkFlattenableReadBuffer& buffer) {
fWidth = buffer.read32();
fHeight = buffer.read32();
@@ -16,6 +24,8 @@
SkASSERT(0 == (packed >> 16));
fAlphaType = (SkAlphaType)((packed >> 8) & 0xFF);
fColorType = (SkColorType)((packed >> 0) & 0xFF);
+ buffer.validate(alpha_type_is_valid(fAlphaType) &&
+ color_type_is_valid(fColorType));
}
void SkImageInfo::flatten(SkFlattenableWriteBuffer& buffer) const {
diff --git a/core/SkMallocPixelRef.cpp b/core/SkMallocPixelRef.cpp
index 25337e7..d3bf9d1 100644
--- a/core/SkMallocPixelRef.cpp
+++ b/core/SkMallocPixelRef.cpp
@@ -142,7 +142,7 @@
, fOwnPixels(true)
{
fRB = buffer.read32();
- size_t size = this->info().getSafeSize(fRB);
+ size_t size = buffer.isValid() ? this->info().getSafeSize(fRB) : 0;
fStorage = sk_malloc_throw(size);
buffer.readByteArray(fStorage, size);
if (buffer.readBool()) {
diff --git a/core/SkRegion_path.cpp b/core/SkRegion_path.cpp
index ec4d9f0..98e937c 100644
--- a/core/SkRegion_path.cpp
+++ b/core/SkRegion_path.cpp
@@ -15,6 +15,7 @@
class SkRgnBuilder : public SkBlitter {
public:
+ SkRgnBuilder();
virtual ~SkRgnBuilder();
// returns true if it could allocate the working storage needed
@@ -98,6 +99,10 @@
}
};
+SkRgnBuilder::SkRgnBuilder()
+ : fStorage(NULL) {
+}
+
SkRgnBuilder::~SkRgnBuilder() {
sk_free(fStorage);
}
