SkScaledBitmapSampler: fix memory overwritten

Cherry-picked from https://codereview.chromium.org/1085253002
in Skia.

Memory will be overwritten while downsampling some
interlaced gif images, most commonly with odd sizes,
when index of destination row stores in the current
line computed from GifInterlaceIter meets:

 X is an integer in [0..height-1]
   and
 (X < height)
 && ((X - sampleSize/2) % sampleSize == 0)
 && ((X - sampleSize/2)/sampleSize >= height/sampleSize)

Signed-off-by: Lu Tong <lu.x.tong@sonymobile.com>

BUG=skia:

Review URL: https://codereview.chromium.org/1085253002

CVE-2015-3877

BUG:20723696
Change-Id: I2cca83a2a5c39b5a497f36b40724262b438ead8b

Author: jzoran

src/images/SkScaledBitmapSampler.cpp

@@ -745,7 +745,9 @@ bool SkScaledBitmapSampler::sampleInterlaced(const uint8_t* SK_RESTRICT src, int
     // of the destination bitmap's pixels, which is used to calculate the destination row
     // each time this function is called.
     const int dstY = srcYMinusY0 / fDY;
-    SkASSERT(dstY < fScaledHeight);
+    if (dstY >= fScaledHeight) {
+        return false;
+    }
     char* dstRow = fDstRow + dstY * fDstRowBytes;
     return fRowProc(dstRow, src + fX0 * fSrcPixelSize, fScaledWidth,
                     fDX * fSrcPixelSize, dstY, fCTable);