RESTRICT AUTOMERGE: Fix heap buffer overflow

Bug: b/118143775
Bug: oss-fuzz:11040
Test: I5fe66d06078f3bc674ceab4fbc8aae2ab67bfe1a

Because we're sampling, the offset ends up the same as the width. Back
up to the left enough to fit the bytes we will write.

Include SafetyNet logging from
https://skia-review.googlesource.com/c/skia/+/171227

Change-Id: Ie476a0191b66c2322446b9c0922f630d6e971645
Reviewed-on: https://skia-review.googlesource.com/c/164262
(cherry picked from commit 1a1cec98427fdc9e94614580ec42dbe936c47c55)

1 files changed, 16 insertions, 0 deletions

diff --git a/src/codec/SkSwizzler.cpp b/src/codec/SkSwizzler.cpp
index f88817f5d3..ca82586c60 100644
--- a/src/codec/SkSwizzler.cpp
+++ b/src/codec/SkSwizzler.cpp
@@ -12,6 +12,10 @@
 #include "SkSwizzler.h"
 #include "SkTemplates.h"
 
+#ifdef SK_BUILD_FOR_ANDROID_FRAMEWORK
+    #include "SkAndroidFrameworkUtils.h"
+#endif
+
 static void copy(void* dst, const uint8_t* src, int width, int bpp, int deltaSrc, int offset,
         const SkPMColor ctable[]) {
     // This function must not be called if we are sampling.  If we are not
@@ -1186,6 +1190,18 @@ int SkSwizzler::onSetSampleX(int sampleX) {
     fSwizzleWidth = get_scaled_dimension(fSrcWidth, sampleX);
     fAllocatedWidth = get_scaled_dimension(fDstWidth, sampleX);
 
+    if (fDstOffsetBytes > 0) {
+        const size_t dstSwizzleBytes   = fSwizzleWidth   * fDstBPP;
+        const size_t dstAllocatedBytes = fAllocatedWidth * fDstBPP;
+        if (fDstOffsetBytes + dstSwizzleBytes > dstAllocatedBytes) {
+#ifdef SK_BUILD_FOR_ANDROID_FRAMEWORK
+            SkAndroidFrameworkUtils::SafetyNetLog("118143775");
+#endif
+            SkASSERT(dstSwizzleBytes < dstAllocatedBytes);
+            fDstOffsetBytes = dstAllocatedBytes - dstSwizzleBytes;
+        }
+    }
+
     // The optimized swizzler functions do not support sampling.  Sampled swizzles
     // are already fast because they skip pixels.  We haven't seen a situation
     // where speeding up sampling has a significant impact on total decode time.