diff options
author | Leon Scroggins III <scroggo@google.com> | 2017-06-05 14:06:57 -0400 |
---|---|---|
committer | Skia Commit-Bot <skia-commit-bot@chromium.org> | 2017-06-05 18:28:19 +0000 |
commit | 12a4dc985b894083a9130d8f5770e67656418b52 (patch) | |
tree | d77c1072b80bea391d7a81ebe899bb3cd9dbc1aa | |
parent | 094dcc51c184f0c85a013fd2a3f08edc08cb5cd0 (diff) |
Defend against ICOs with large BMPs embedded
If the ICO reports that it has a large BMP file embedded, do not
crash if we attempt to allocate too much memory.
Bug: b/38116746
Change-Id: I70eb66f5e4ffc15587007b398bbe843665eae500
Reviewed-on: https://skia-review.googlesource.com/18447
Reviewed-by: Matt Sarett <msarett@google.com>
Commit-Queue: Leon Scroggins <scroggo@google.com>
-rw-r--r-- | resources/invalid_images/b38116746.ico | bin | 0 -> 1024 bytes | |||
-rw-r--r-- | src/codec/SkIcoCodec.cpp | 11 | ||||
-rw-r--r-- | tests/BadIcoTest.cpp | 1 |
3 files changed, 10 insertions, 2 deletions
diff --git a/resources/invalid_images/b38116746.ico b/resources/invalid_images/b38116746.ico Binary files differnew file mode 100644 index 0000000000..35ee5b5a28 --- /dev/null +++ b/resources/invalid_images/b38116746.ico diff --git a/src/codec/SkIcoCodec.cpp b/src/codec/SkIcoCodec.cpp index 9ea092efc0..9d424f3e4e 100644 --- a/src/codec/SkIcoCodec.cpp +++ b/src/codec/SkIcoCodec.cpp @@ -128,11 +128,18 @@ SkCodec* SkIcoCodec::NewFromStream(SkStream* stream) { bytesRead = offset; // Create a new stream for the embedded codec - sk_sp<SkData> data(SkData::MakeFromStream(inputStream.get(), size)); - if (nullptr == data.get()) { + SkAutoFree buffer(sk_malloc_flags(size, 0)); + if (!buffer) { + SkCodecPrintf("Warning: OOM trying to create embedded stream.\n"); + break; + } + + if (inputStream->read(buffer.get(), size) != size) { SkCodecPrintf("Warning: could not create embedded stream.\n"); break; } + + sk_sp<SkData> data(SkData::MakeFromMalloc(buffer.release(), size)); std::unique_ptr<SkMemoryStream> embeddedStream(new SkMemoryStream(data)); bytesRead += size; diff --git a/tests/BadIcoTest.cpp b/tests/BadIcoTest.cpp index 229e9bc44e..670c2ac311 100644 --- a/tests/BadIcoTest.cpp +++ b/tests/BadIcoTest.cpp @@ -24,6 +24,7 @@ DEF_TEST(BadImage, reporter) { "ico_fuzz1.ico", "skbug3442.webp", "skbug3429.webp", + "b38116746.ico", }; const char* badImagesFolder = "invalid_images"; |