Bug 1441941 - Limit allocations in SkTDArray. r=jrmuizel, a=jcristau
authorLee Salzman <lsalzman@mozilla.com>
Mon, 12 Mar 2018 14:38:36 -0400
changeset 462864 6fc09a406b3b2feeb4731d4c11f29be680229b1c
parent 462863 2ac29892c9698adddf973a8dd33c4a2186617350
child 462865 c90dadfb2b20b2d74f859f9c1a74fbbb1b909b77
push id1683
push usersfraser@mozilla.com
push dateThu, 26 Apr 2018 16:43:40 +0000
treeherdermozilla-release@5af6cb21869d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjrmuizel, jcristau
bugs1441941
milestone60.0
Bug 1441941 - Limit allocations in SkTDArray. r=jrmuizel, a=jcristau MozReview-Commit-ID: 97eTGU3sUCC
gfx/skia/skia/include/private/SkTDArray.h
--- a/gfx/skia/skia/include/private/SkTDArray.h
+++ b/gfx/skia/skia/include/private/SkTDArray.h
@@ -17,17 +17,17 @@ template <typename T> class SkTDArray {
 public:
     SkTDArray() : fArray(nullptr), fReserve(0), fCount(0) {}
     SkTDArray(const T src[], int count) {
         SkASSERT(src || count == 0);
 
         fReserve = fCount = 0;
         fArray = nullptr;
         if (count) {
-            fArray = (T*)sk_malloc_throw(count * sizeof(T));
+            fArray = (T*)sk_malloc_throw(count, sizeof(T));
             memcpy(fArray, src, sizeof(T) * count);
             fReserve = fCount = count;
         }
     }
     SkTDArray(const SkTDArray<T>& src) : fArray(nullptr), fReserve(0), fCount(0) {
         SkTDArray<T> tmp(src.fArray, src.fCount);
         this->swap(tmp);
     }
@@ -348,41 +348,43 @@ public:
         SkASSERT((fReserve == 0 && fArray == nullptr) ||
                  (fReserve > 0 && fArray != nullptr));
         SkASSERT(fCount <= fReserve);
     }
 #endif
 
     void shrinkToFit() {
         fReserve = fCount;
-        fArray = (T*)sk_realloc_throw(fArray, fReserve * sizeof(T));
+        fArray = (T*)sk_realloc_throw(fArray, fReserve, sizeof(T));
     }
 
 private:
     T*      fArray;
     int     fReserve;
     int     fCount;
 
     /**
      *  Adjusts the number of elements in the array.
      *  This is the same as calling setCount(count() + delta).
      */
     void adjustCount(int delta) {
+        SkASSERT_RELEASE(fCount <= std::numeric_limits<int>::max() - delta);
         this->setCount(fCount + delta);
     }
 
     /**
      *  Increase the storage allocation such that it can hold (fCount + extra)
      *  elements.
      *  It never shrinks the allocation, and it may increase the allocation by
      *  more than is strictly required, based on a private growth heuristic.
      *
      *  note: does NOT modify fCount
      */
     void resizeStorageToAtLeast(int count) {
         SkASSERT(count > fReserve);
+        SkASSERT_RELEASE(count <= std::numeric_limits<int>::max() - std::numeric_limits<int>::max() / 5 - 4);
         fReserve = count + 4;
         fReserve += fReserve / 4;
-        fArray = (T*)sk_realloc_throw(fArray, fReserve * sizeof(T));
+        fArray = (T*)sk_realloc_throw(fArray, fReserve, sizeof(T));
     }
 };
 
 #endif