Avoid bitmap overflow.

This ensures there are no circumstances under which the
following memcpy could write beyond the end of the bitmap.

Bug: 1144368
Change-Id: I2d41d9f059445c936387a25d9fe9b45818a3e649
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2511859
Commit-Queue: Adrian Taylor <adetaylor@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Sami Kyöstilä <skyostil@chromium.org>
Cr-Commit-Position: refs/heads/master@{#822974}
diff --git a/ui/gfx/android/java_bitmap.cc b/ui/gfx/android/java_bitmap.cc
index 2a5d588..db7efd1 100644
--- a/ui/gfx/android/java_bitmap.cc
+++ b/ui/gfx/android/java_bitmap.cc
@@ -10,6 +10,7 @@
 #include "base/bits.h"
 #include "base/check_op.h"
 #include "base/notreached.h"
+#include "base/numerics/safe_conversions.h"
 #include "ui/gfx/geometry/size.h"
 #include "ui/gfx/gfx_jni_headers/BitmapHelper_jni.h"
 
@@ -86,6 +87,8 @@
   JavaBitmap dst_lock(jbitmap);
   void* src_pixels = skbitmap->getPixels();
   void* dst_pixels = dst_lock.pixels();
+  CHECK_GE(base::checked_cast<size_t>(dst_lock.byte_count()),
+           skbitmap->computeByteSize());
   memcpy(dst_pixels, src_pixels, skbitmap->computeByteSize());
 
   return jbitmap;