Limit surfaces/images to 2GB in size

brianosman · SkCQ · commit e262e6882477 · 2021-11-15T21:32:43.000Z
The CPU blitters use signed 32-bit offsets when gathering source pixels, so any image larger than that can't be fully indexed. Instead, we'd wrap around and sample from invalid memory. This does put a new (smaller) limit on valid image sizes, but it seems unlikely to impact any client. Bug: chromium:1264705 Change-Id: I21b088c11b49e6410b1f237cbfb6b1639cb22ca0 Reviewed-on: https://skia-review.googlesource.com/c/skia/+/471764 Reviewed-by: Herb Derby <herb@google.com> Reviewed-by: Brian Salomon <bsalomon@google.com> Commit-Queue: Brian Osman <brianosman@google.com>
diff --git a/RELEASE_NOTES.txt b/RELEASE_NOTES.txt
@@ -12,6 +12,8 @@ Milestone 98
   * GrBackendSemaphore only includes methods that match the GPU backend that Skia was compiled for.
     For example, initVulkan and vkSemaphore are not defined unless the Vulkan backend is compiled
     into Skia.
+  * Surfaces and images are now limited to just under 2GB of total size. Previously, larger images
+    could be created, but the CPU backend would fail to index them correctly.
 
 
 Milestone 97
diff --git a/src/core/SkImageInfo.cpp b/src/core/SkImageInfo.cpp
@@ -63,7 +63,12 @@ size_t SkImageInfo::computeByteSize(size_t rowBytes) const {
     SkSafeMath safe;
     size_t bytes = safe.add(safe.mul(safe.addInt(this->height(), -1), rowBytes),
                             safe.mul(this->width(), this->bytesPerPixel()));
-    return safe.ok() ? bytes : SIZE_MAX;
+
+    // The CPU backend implements some memory operations on images using instructions that take a
+    // signed 32-bit offset from the base. If we ever make an image larger than that, overflow can
+    // cause us to read/write memory that starts 2GB *before* the buffer. (crbug.com/1264705)
+    constexpr size_t kMaxSigned32BitSize = SK_MaxS32;
+    return (safe.ok() && (bytes <= kMaxSigned32BitSize)) ? bytes : SIZE_MAX;
 }
 
 SkImageInfo SkImageInfo::MakeS32(int width, int height, SkAlphaType at) {
diff --git a/tests/ImageFilterTest.cpp b/tests/ImageFilterTest.cpp
@@ -2057,3 +2057,15 @@ DEF_TEST(PictureImageSourceBounds, reporter) {
                                                              SkImageFilter::kReverse_MapDirection,
                                                              &input));
 }
+
+DEF_TEST(DropShadowImageFilter_Huge, reporter) {
+    // Successful if it doesn't crash or trigger ASAN. (crbug.com/1264705)
+    auto surf = SkSurface::MakeRasterN32Premul(300, 150);
+
+    SkPaint paint;
+    paint.setImageFilter(SkImageFilters::DropShadowOnly(
+            0.0f, 0.437009f, 14129.6f, 14129.6f, SK_ColorGRAY, nullptr));
+
+    surf->getCanvas()->saveLayer(nullptr, &paint);
+    surf->getCanvas()->restore();
+}
