[CP-beta] Drop APNG frames that don't fit entirely within the destination surface. (#57062)

This cherry-pick PR includes:

#56928 followed by #57025

It supersedes #56978.

### Issue Link:
What is the link to the issue this cherry-pick is addressing?

Issue was reported over email.

### Changelog Description:
Explain this cherry pick in one line that is accessible to most Flutter developers. See [best practices](https://github.com/flutter/flutter/blob/main/docs/releases/Hotfix-Documentation-Best-Practices.md) for examples

Fixes an out-of-bounds memory write in APNG decoding.

### Impact Description:
What is the impact (ex. visual jank on Samsung phones, app crash, cannot ship an iOS app)? Does it impact development (ex. flutter doctor crashes when Android Studio is installed), or the shipping production app (the app crashes on launch)

Fixes an issue in which an untrusted malformed APNG image could cause out of bounds memory writes, crashing the app.

### Workaround:
Is there a workaround for this issue?

There is no workaround.

### Risk:
What is the risk level of this cherry-pick?

### Test Coverage:
Are you confident that your fix is well-tested by automated tests?

### Validation Steps:
What are the steps to validate that this fix works?

Attempt to load the APNG used in the tests in the PR.

Author: zanderso

lib/ui/fixtures/out_of_bounds.apng

@@ -187,7 +187,7 @@ TEST(ImageDecoderNoGLTest, ImpellerWideGamutIndexedPng) {
 #endif  // IMPELLER_SUPPORTS_RENDERING
 }
 
-TEST(ImageDecoderNoGLTest, ImepllerUnmultipliedAlphaPng) {
+TEST(ImageDecoderNoGLTest, ImpellerUnmultipliedAlphaPng) {
 #if defined(OS_FUCHSIA)
   GTEST_SKIP() << "Fuchsia can't load the test fixtures.";
 #endif

lib/ui/fixtures/out_of_bounds_wrapping.apng

@@ -110,6 +110,28 @@ bool APNGImageGenerator::GetPixels(const SkImageInfo& info,
                     << ") of APNG due to the frame missing data (frame_info).";
     return false;
   }
+  if (
+      // Check for unsigned integer wrapping for
+      // frame.{x|y}_offset + frame_info.{width|height}().
+      frame.x_offset >
+          std::numeric_limits<uint32_t>::max() - frame_info.width() ||
+      frame.y_offset >
+          std::numeric_limits<uint32_t>::max() - frame_info.height() ||
+
+      frame.x_offset + frame_info.width() >
+          static_cast<unsigned int>(info.width()) ||
+      frame.y_offset + frame_info.height() >
+          static_cast<unsigned int>(info.height())) {
+    FML_DLOG(ERROR)
+        << "Decoded image at index " << image_index
+        << " (frame index: " << frame_index
+        << ") rejected because the destination region (x: " << frame.x_offset
+        << ", y: " << frame.y_offset << ", width: " << frame_info.width()
+        << ", height: " << frame_info.height()
+        << ") is not entirely within the destination surface (width: "
+        << info.width() << ", height: " << info.height() << ").";
+    return false;
+  }
 
   //----------------------------------------------------------------------------
   /// 3. Composite the frame onto the canvas.
@@ -630,7 +652,19 @@ uint32_t APNGImageGenerator::ChunkHeader::ComputeChunkCrc32() {
 bool APNGImageGenerator::RenderDefaultImage(const SkImageInfo& info,
                                             void* pixels,
                                             size_t row_bytes) {
-  SkCodec::Result result = images_[0].codec->getPixels(info, pixels, row_bytes);
+  APNGImage& frame = images_[0];
+  SkImageInfo frame_info = frame.codec->getInfo();
+  if (frame_info.width() > info.width() ||
+      frame_info.height() > info.height()) {
+    FML_DLOG(ERROR)
+        << "Default image rejected because the destination region (width: "
+        << frame_info.width() << ", height: " << frame_info.height()
+        << ") is not entirely within the destination surface (width: "
+        << info.width() << ", height: " << info.height() << ").";
+    return false;
+  }
+
+  SkCodec::Result result = frame.codec->getPixels(info, pixels, row_bytes);
   if (result != SkCodec::kSuccess) {
     FML_DLOG(ERROR) << "Failed to decode the APNG's default/fallback image. "
                        "SkCodec::Result: "

lib/ui/painting/image_decoder_no_gl_unittests.cc

@@ -252,6 +252,46 @@ void main() {
     imageData = (await image.toByteData())!;
     expect(imageData.getUint32(imageData.lengthInBytes - 4), 0x00000000);
   });
+
+  test(
+      'Animated apng frame decode does not crash with invalid destination region',
+      () async {
+    final Uint8List data = File(
+      path.join('flutter', 'lib', 'ui', 'fixtures', 'out_of_bounds.apng'),
+    ).readAsBytesSync();
+
+    final ui.Codec codec = await ui.instantiateImageCodec(data);
+    try {
+      await codec.getNextFrame();
+      fail('exception not thrown');
+    } on Exception catch (e) {
+      if (impellerEnabled) {
+        expect(e.toString(), contains('Could not decompress image.'));
+      } else {
+        expect(e.toString(), contains('Codec failed'));
+      }
+    }
+  });
+
+  test(
+      'Animated apng frame decode does not crash with invalid destination region and bounds wrapping',
+      () async {
+    final Uint8List data = File(
+      path.join('flutter', 'lib', 'ui', 'fixtures', 'out_of_bounds_wrapping.apng'),
+    ).readAsBytesSync();
+
+    final ui.Codec codec = await ui.instantiateImageCodec(data);
+    try {
+      await codec.getNextFrame();
+      fail('exception not thrown');
+    } on Exception catch (e) {
+      if (impellerEnabled) {
+        expect(e.toString(), contains('Could not decompress image.'));
+      } else {
+        expect(e.toString(), contains('Codec failed'));
+      }
+    }
+  });
 }
 
 /// Returns a File handle to a file in the skia/resources directory.