Liberalize the size limits in the PNG decoder to match the changes landed upstream to all the WebKit image decoders. I'm not sure where this is used, hence no test.

BUG=3643
TEST=none
Review URL: http://codereview.chromium.org/118462

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@17988 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 7 insertions, 5 deletions

diff --git a/base/gfx/png_decoder.cc b/base/gfx/png_decoder.cc
index 1a45057..e493464 100644
--- a/base/gfx/png_decoder.cc
+++ b/base/gfx/png_decoder.cc
@@ -51,9 +51,6 @@ const double kMaxGamma = 21474.83;  // Maximum gamma accepted by png library.
 const double kDefaultGamma = 2.2;
 const double kInverseGamma = 1.0 / kDefaultGamma;
 
-// Maximum pixel dimension we'll try to decode.
-const png_uint_32 kMaxSize = 4096;
-
 class PngDecoderState {
  public:
   PngDecoderState(PNGDecoder::ColorFormat ofmt, std::vector<unsigned char>* o)
@@ -123,8 +120,13 @@ void DecodeInfoCallback(png_struct* png_ptr, png_info* info_ptr) {
                &interlace_type, &compression_type, &filter_type);
 
   // Bounds check. When the image is unreasonably big, we'll error out and
-  // end up back at the setjmp call when we set up decoding.
-  if (w > kMaxSize || h > kMaxSize)
+  // end up back at the setjmp call when we set up decoding.  "Unreasonably big"
+  // means "big enough that w * h * 32bpp might overflow an int"; we choose this
+  // threshold to match WebKit and because a number of places in code assume
+  // that an image's size (in bytes) fits in a (signed) int.
+  unsigned long long total_size =
+      static_cast<unsigned long long>(w) * static_cast<unsigned long long>(h);
+  if (total_size > ((1 << 29) - 1))
     longjmp(png_ptr->jmpbuf, 1);
   state->width = static_cast<int>(w);
   state->height = static_cast<int>(h);