Skia: Validate allocation size in GrBufferAllocPool using SkSafeMath.

Upstream port of commit 7469a9341afab19271b8ef07af5c16a0f2c4ccc1

1 files changed, 8 insertions, 3 deletions

diff --git a/gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp b/gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp
index 993e1c59d..c6097b03b 100644
--- a/gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp
+++ b/gfx/skia/skia/src/gpu/GrBufferAllocPool.cpp
@@ -152,13 +152,18 @@ void* GrBufferAllocPool::makeSpace(size_t size,
         BufferBlock& back = fBlocks.back();
         size_t usedBytes = back.fBuffer->gpuMemorySize() - back.fBytesFree;
         size_t pad = GrSizeAlignUpPad(usedBytes, alignment);
-        if ((size + pad) <= back.fBytesFree) {
+        SkSafeMath safeMath;
+        size_t alignedSize = safeMath.add(pad, size);
+        if (!safeMath.ok()) {
+            return nullptr;
+        }
+        if (alignedSize <= back.fBytesFree) {
             memset((void*)(reinterpret_cast<intptr_t>(fBufferPtr) + usedBytes), 0, pad);
             usedBytes += pad;
             *offset = usedBytes;
             *buffer = back.fBuffer;
-            back.fBytesFree -= size + pad;
-            fBytesInUse += size + pad;
+            back.fBytesFree -= alignedSize;
+            fBytesInUse += alignedSize;
             VALIDATE();
             return (void*)(reinterpret_cast<intptr_t>(fBufferPtr) + usedBytes);
         }