Fix image decoder memory overwrite bug.
In SkPNGImageDecoder::onDecodeSubset, use png_read_rows to write to
the scratch memory provided. This is what we should have been doing
anyway. Further, writing directly to the bitmap can cause writing
to the wrong memory since the bitmap may not be as big as the
scratch memory in the case of sampling with a short bitmap.
Bug=b/13921093
R=djsollen@google.com
Author: scroggo@google.com
Review URL: https://codereview.chromium.org/423473003
diff --git a/src/images/SkImageDecoder_libpng.cpp b/src/images/SkImageDecoder_libpng.cpp
index 7ff1558..01b7c69 100644
--- a/src/images/SkImageDecoder_libpng.cpp
+++ b/src/images/SkImageDecoder_libpng.cpp
@@ -911,8 +911,7 @@
for (int i = 0; i < number_passes; i++) {
png_configure_decoder(png_ptr, &actualTop, i);
for (int j = 0; j < rect.fTop - actualTop; j++) {
- uint8_t* bmRow = (uint8_t*)decodedBitmap.getPixels();
- png_read_rows(png_ptr, &bmRow, png_bytepp_NULL, 1);
+ png_read_rows(png_ptr, &base, png_bytepp_NULL, 1);
}
uint8_t* row = base;
for (int32_t y = 0; y < rect.height(); y++) {
@@ -935,8 +934,7 @@
skip_src_rows(png_ptr, srcRow, sampler.srcY0());
for (int i = 0; i < rect.fTop - actualTop; i++) {
- uint8_t* bmRow = (uint8_t*)decodedBitmap.getPixels();
- png_read_rows(png_ptr, &bmRow, png_bytepp_NULL, 1);
+ png_read_rows(png_ptr, &srcRow, png_bytepp_NULL, 1);
}
for (int y = 0; y < height; y++) {
uint8_t* tmp = srcRow;
