Workaround bad bitmaps in clibpoard code

- Some bitmaps end up with a NULL getPixels(). Don't try to copy ot of that. - Only try to copy 32-bit bitmaps - Protect against overflow in size computation BUG=369621 Review URL: https://codereview.chromium.org/289573002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@271730 0039d316-1c4b-4281-b951-d872f2087c98
author: piman@chromium.org <piman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-05-20 19:26:31 +0000
committer: piman@chromium.org <piman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-05-20 19:26:31 +0000
commit: e4be88bde4a9b1f0d9a56bfc68447e0105657457 (patch)
tree: cecf7415d2a5adef8744c94c70ce23f798f26183
parent: 93555babea36692d55f3e8548cd495e339980498 (diff)
download: chromium_src-e4be88bde4a9b1f0d9a56bfc68447e0105657457.zip
chromium_src-e4be88bde4a9b1f0d9a56bfc68447e0105657457.tar.gz
chromium_src-e4be88bde4a9b1f0d9a56bfc68447e0105657457.tar.bz2
2 files changed, 16 insertions, 2 deletions
diff --git a/content/renderer/renderer_clipboard_client.cc b/content/renderer/renderer_clipboard_client.cc
index c1c7c96..e4f275c 100644
--- a/content/renderer/renderer_clipboard_client.cc
+++ b/content/renderer/renderer_clipboard_client.cc
@@ -7,6 +7,7 @@
 #include "content/renderer/renderer_clipboard_client.h"
 
 #include "base/memory/shared_memory.h"
+#include "base/numerics/safe_math.h"
 #include "base/strings/string16.h"
 #include "content/common/clipboard_messages.h"
 #include "content/public/renderer/content_renderer_client.h"
@@ -49,7 +50,13 @@ void RendererClipboardWriteContext::WriteBitmapFromPixels(
   if (shared_buf_)
     return;
 
-  uint32 buf_size = 4 * size.width() * size.height();
+  base::CheckedNumeric<uint32> checked_buf_size = 4;
+  checked_buf_size *= size.width();
+  checked_buf_size *= size.height();
+  if (!checked_buf_size.IsValid())
+    return;
+
+  uint32 buf_size = checked_buf_size.ValueOrDie();
 
   // Allocate a shared memory buffer to hold the bitmap bits.
   shared_buf_.reset(ChildThread::current()->AllocateSharedMemory(buf_size));
diff --git a/content/renderer/webclipboard_impl.cc b/content/renderer/webclipboard_impl.cc
index 317ec7d..663d6f0 100644
--- a/content/renderer/webclipboard_impl.cc
+++ b/content/renderer/webclipboard_impl.cc
@@ -155,8 +155,15 @@ void WebClipboardImpl::writeImage(const WebImage& image,
 
   if (!image.isNull()) {
     const SkBitmap& bitmap = image.getSkBitmap();
+    // WriteBitmapFromPixels expects 32-bit data.
+    DCHECK_EQ(bitmap.config(), SkBitmap::kARGB_8888_Config);
+
     SkAutoLockPixels locked(bitmap);
-    scw.WriteBitmapFromPixels(bitmap.getPixels(), image.size());
+    void *pixels = bitmap.getPixels();
+    // TODO(piman): this should not be NULL, but it is. crbug.com/369621
+    if (!pixels)
+      return;
+    scw.WriteBitmapFromPixels(pixels, image.size());
   }
 
   if (!url.isEmpty()) {
author	piman@chromium.org <piman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-05-20 19:26:31 +0000
committer	piman@chromium.org <piman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-05-20 19:26:31 +0000
commit	e4be88bde4a9b1f0d9a56bfc68447e0105657457 (patch)
tree	cecf7415d2a5adef8744c94c70ce23f798f26183
parent	93555babea36692d55f3e8548cd495e339980498 (diff)
download	chromium_src-e4be88bde4a9b1f0d9a56bfc68447e0105657457.zip chromium_src-e4be88bde4a9b1f0d9a56bfc68447e0105657457.tar.gz chromium_src-e4be88bde4a9b1f0d9a56bfc68447e0105657457.tar.bz2