1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
|
diff --git a/fuzz/FuzzPathMeasure.cpp b/fuzz/FuzzPathMeasure.cpp
index 8526ff8cc6..116302f5fe 100644
--- a/fuzz/FuzzPathMeasure.cpp
+++ b/fuzz/FuzzPathMeasure.cpp
@@ -22,6 +22,9 @@ DEF_FUZZ(PathMeasure, fuzz) {
FuzzEvilPath(fuzz, &path, SkPath::Verb::kDone_Verb);
SkRect bounds = path.getBounds();
SkScalar maxDim = SkTMax(bounds.width(), bounds.height());
+ if (maxDim > 10000000) {
+ return;
+ }
SkScalar resScale = maxDim / 1000;
SkPathMeasure measure(path, bits & 1, resScale);
SkPoint position;
diff --git a/src/core/SkAAClip.cpp b/src/core/SkAAClip.cpp
index c33ea9510d..a4d09c265d 100644
--- a/src/core/SkAAClip.cpp
+++ b/src/core/SkAAClip.cpp
@@ -1547,6 +1547,12 @@ static void operateY(SkAAClip::Builder& builder, const SkAAClip& A,
int topB = iterB.top();
int botB = iterB.bottom();
+#if defined(IS_FUZZING)
+ if ((botA - topA) > 100000 || (botB - topB) > 100000) {
+ return;
+ }
+#endif
+
do {
const uint8_t* rowA = nullptr;
const uint8_t* rowB = nullptr;
diff --git a/src/core/SkDraw.cpp b/src/core/SkDraw.cpp
index 296329a52d..9b74d50146 100644
--- a/src/core/SkDraw.cpp
+++ b/src/core/SkDraw.cpp
@@ -959,6 +959,12 @@ void SkDraw::drawPath(const SkPath& origSrcPath, const SkPaint& origPaint,
// transform the path into device space
pathPtr->transform(*matrix, devPathPtr);
+#if defined(IS_FUZZING)
+ if (devPathPtr->countPoints() > 1000) {
+ return;
+ }
+#endif
+
this->drawDevPath(*devPathPtr, *paint, drawCoverage, customBlitter, doFill);
}
diff --git a/src/core/SkImageFilter.cpp b/src/core/SkImageFilter.cpp
index 107566459b..bac5263e47 100644
--- a/src/core/SkImageFilter.cpp
+++ b/src/core/SkImageFilter.cpp
@@ -176,6 +176,12 @@ bool SkImageFilter_Base::Common::unflatten(SkReadBuffer& buffer, int expectedCou
return false;
}
+#if defined(IS_FUZZING)
+ if (count > 4) {
+ return false;
+ }
+#endif
+
SkASSERT(fInputs.empty());
for (int i = 0; i < count; i++) {
fInputs.push_back(buffer.readBool() ? buffer.readImageFilter() : nullptr);
diff --git a/src/core/SkMallocPixelRef.cpp b/src/core/SkMallocPixelRef.cpp
index d998029a2b..8807c1fc4d 100644
--- a/src/core/SkMallocPixelRef.cpp
+++ b/src/core/SkMallocPixelRef.cpp
@@ -37,6 +37,11 @@ sk_sp<SkPixelRef> SkMallocPixelRef::MakeAllocate(const SkImageInfo& info, size_t
return nullptr;
}
}
+#if defined(IS_FUZZING)
+ if (size > 100000) {
+ return nullptr;
+ }
+#endif
void* addr = sk_calloc_canfail(size);
if (nullptr == addr) {
return nullptr;
diff --git a/src/core/SkMaskFilter.cpp b/src/core/SkMaskFilter.cpp
index 573fe3cabb..cae96b00cc 100644
--- a/src/core/SkMaskFilter.cpp
+++ b/src/core/SkMaskFilter.cpp
@@ -262,6 +262,11 @@ bool SkMaskFilterBase::filterPath(const SkPath& devPath, const SkMatrix& matrix,
SkMask srcM, dstM;
+#if defined(IS_FUZZING)
+ if (devPath.countVerbs() > 1000 || devPath.countPoints() > 1000) {
+ return false;
+ }
+#endif
if (!SkDraw::DrawToMask(devPath, &clip.getBounds(), this, &matrix, &srcM,
SkMask::kComputeBoundsAndRenderImage_CreateMode,
style)) {
diff --git a/src/core/SkPaint.cpp b/src/core/SkPaint.cpp
index f294dbe4a0..12100e1624 100644
--- a/src/core/SkPaint.cpp
+++ b/src/core/SkPaint.cpp
@@ -449,6 +449,13 @@ bool SkPaint::getFillPath(const SkPath& src, SkPath* dst, const SkRect* cullRect
SkStrokeRec rec(*this, resScale);
+#if defined(IS_FUZZING)
+ // Prevent lines with small widths from timing out.
+ if (rec.getStyle() == SkStrokeRec::Style::kStroke_Style && rec.getWidth() < 0.001) {
+ return false;
+ }
+#endif
+
const SkPath* srcPtr = &src;
SkPath tmpPath;
diff --git a/src/core/SkPath.cpp b/src/core/SkPath.cpp
index 5679a9d182..104523a6af 100644
--- a/src/core/SkPath.cpp
+++ b/src/core/SkPath.cpp
@@ -3120,7 +3120,11 @@ void SkPathPriv::CreateDrawArcPath(SkPath* path, const SkRect& oval, SkScalar st
SkScalar sweepAngle, bool useCenter, bool isFillNoPathEffect) {
SkASSERT(!oval.isEmpty());
SkASSERT(sweepAngle);
-
+#if defined(IS_FUZZING)
+ if (sweepAngle > 3600.0f || sweepAngle < 3600.0f) {
+ return;
+ }
+#endif
path->reset();
path->setIsVolatile(true);
path->setFillType(SkPathFillType::kWinding);
diff --git a/src/core/SkReadBuffer.cpp b/src/core/SkReadBuffer.cpp
index ff78b74a34..ce846799a4 100644
--- a/src/core/SkReadBuffer.cpp
+++ b/src/core/SkReadBuffer.cpp
@@ -277,7 +277,12 @@ sk_sp<SkData> SkReadBuffer::readByteArrayAsData() {
uint32_t SkReadBuffer::getArrayCount() {
const size_t inc = sizeof(uint32_t);
fError = fError || !IsPtrAlign4(fReader.peek()) || !fReader.isAvailable(inc);
+#if defined(IS_FUZZING)
+ uint32_t retVal = fError ? 0 : *(uint32_t*)fReader.peek();
+ return retVal < 1000 ? retVal: 1000;
+#else
return fError ? 0 : *(uint32_t*)fReader.peek();
+#endif
}
/* Format:
diff --git a/src/core/SkScan_Hairline.cpp b/src/core/SkScan_Hairline.cpp
index f9365cecb2..7b77341e06 100644
--- a/src/core/SkScan_Hairline.cpp
+++ b/src/core/SkScan_Hairline.cpp
@@ -121,7 +121,11 @@ void SkScan::HairLineRgn(const SkPoint array[], int arrayCount, const SkRegion*
if (ix0 == ix1) {// too short to draw
continue;
}
-
+#if defined(IS_FUZZING)
+ if ((ix1 - ix0) > 100000 || (ix1 - ix0) < 0) {
+ continue; // too big to draw
+ }
+#endif
SkFixed slope = SkFixedDiv(dy, dx);
SkFixed startY = SkFDot6ToFixed(y0) + (slope * ((32 - x0) & 63) >> 6);
@@ -137,7 +141,11 @@ void SkScan::HairLineRgn(const SkPoint array[], int arrayCount, const SkRegion*
if (iy0 == iy1) { // too short to draw
continue;
}
-
+#if defined(IS_FUZZING)
+ if ((iy1 - iy0) > 100000 || (iy1 - iy0) < 0) {
+ continue; // too big to draw
+ }
+#endif
SkFixed slope = SkFixedDiv(dx, dy);
SkFixed startX = SkFDot6ToFixed(x0) + (slope * ((32 - y0) & 63) >> 6);
diff --git a/src/effects/Sk1DPathEffect.cpp b/src/effects/Sk1DPathEffect.cpp
index 360179d663..04df451f2a 100644
--- a/src/effects/Sk1DPathEffect.cpp
+++ b/src/effects/Sk1DPathEffect.cpp
@@ -19,6 +19,11 @@
bool Sk1DPathEffect::onFilterPath(SkPath* dst, const SkPath& src,
SkStrokeRec*, const SkRect*) const {
SkPathMeasure meas(src, false);
+#if defined(IS_FUZZING)
+ if (meas.getLength() < 0 || meas.getLength() > 100) {
+ return false;
+ }
+#endif
do {
int governor = MAX_REASONABLE_ITERATIONS;
SkScalar length = meas.getLength();
diff --git a/src/effects/Sk2DPathEffect.cpp b/src/effects/Sk2DPathEffect.cpp
index fa19bb96b8..005daff13b 100644
--- a/src/effects/Sk2DPathEffect.cpp
+++ b/src/effects/Sk2DPathEffect.cpp
@@ -51,6 +51,11 @@ void Sk2DPathEffect::nextSpan(int x, int y, int count, SkPath* path) const {
if (!fMatrixIsInvertible) {
return;
}
+#if defined(IS_FUZZING)
+ if (count > 100) {
+ return;
+ }
+#endif
const SkMatrix& mat = this->getMatrix();
SkPoint src, dst;
diff --git a/src/effects/SkDashPathEffect.cpp b/src/effects/SkDashPathEffect.cpp
index 913d851c04..bd4ea876c0 100644
--- a/src/effects/SkDashPathEffect.cpp
+++ b/src/effects/SkDashPathEffect.cpp
@@ -381,6 +381,12 @@ sk_sp<SkFlattenable> SkDashImpl::CreateProc(SkReadBuffer& buffer) {
return nullptr;
}
+#if defined(IS_FUZZING)
+ // TODO(kjlubick) Can this be removed now that we have the check above?
+ if (count > 20) {
+ return nullptr;
+ }
+#endif
SkAutoSTArray<32, SkScalar> intervals(count);
if (buffer.readScalarArray(intervals.get(), count)) {
return SkDashPathEffect::Make(intervals.get(), SkToInt(count), phase);
diff --git a/src/effects/SkDiscretePathEffect.cpp b/src/effects/SkDiscretePathEffect.cpp
index 93ea43fa29..69527725a6 100644
--- a/src/effects/SkDiscretePathEffect.cpp
+++ b/src/effects/SkDiscretePathEffect.cpp
@@ -97,6 +97,11 @@ bool SkDiscretePathEffect::onFilterPath(SkPath* dst, const SkPath& src,
do {
SkScalar length = meas.getLength();
+#if defined(IS_FUZZING)
+ if (length > 1000) {
+ return false;
+ }
+#endif
if (fSegLength * (2 + doFill) > length) {
meas.getSegment(0, length, dst, true); // to short for us to mangle
diff --git a/src/effects/SkLayerDrawLooper.cpp b/src/effects/SkLayerDrawLooper.cpp
index 42592211a9..3b46f632cf 100644
--- a/src/effects/SkLayerDrawLooper.cpp
+++ b/src/effects/SkLayerDrawLooper.cpp
@@ -213,6 +213,11 @@ void SkLayerDrawLooper::flatten(SkWriteBuffer& buffer) const {
sk_sp<SkFlattenable> SkLayerDrawLooper::CreateProc(SkReadBuffer& buffer) {
int count = buffer.readInt();
+#if defined(IS_FUZZING)
+ if (count > 100) {
+ count = 100;
+ }
+#endif
Builder builder;
for (int i = 0; i < count; i++) {
LayerInfo info;
diff --git a/src/ports/SkDebug_stdio.cpp b/src/ports/SkDebug_stdio.cpp
index 1bba63cc0a..e569514902 100644
--- a/src/ports/SkDebug_stdio.cpp
+++ b/src/ports/SkDebug_stdio.cpp
@@ -12,9 +12,13 @@
#include <stdio.h>
void SkDebugf(const char format[], ...) {
+#if !defined(IS_FUZZING_WITH_LIBFUZZER)
va_list args;
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
+#else
+ (void) format;
+#endif
}
#endif//!defined(SK_BUILD_FOR_WIN) && !defined(SK_BUILD_FOR_ANDROID)
|
