aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorGravatar Leon Scroggins III <scroggo@google.com>2017-06-05 14:06:57 -0400
committerGravatar Skia Commit-Bot <skia-commit-bot@chromium.org>2017-06-05 18:28:19 +0000
commit12a4dc985b894083a9130d8f5770e67656418b52 (patch)
treed77c1072b80bea391d7a81ebe899bb3cd9dbc1aa
parent094dcc51c184f0c85a013fd2a3f08edc08cb5cd0 (diff)
Defend against ICOs with large BMPs embedded
If the ICO reports that it has a large BMP file embedded, do not crash if we attempt to allocate too much memory. Bug: b/38116746 Change-Id: I70eb66f5e4ffc15587007b398bbe843665eae500 Reviewed-on: https://skia-review.googlesource.com/18447 Reviewed-by: Matt Sarett <msarett@google.com> Commit-Queue: Leon Scroggins <scroggo@google.com>
-rw-r--r--resources/invalid_images/b38116746.icobin0 -> 1024 bytes
-rw-r--r--src/codec/SkIcoCodec.cpp11
-rw-r--r--tests/BadIcoTest.cpp1
3 files changed, 10 insertions, 2 deletions
diff --git a/resources/invalid_images/b38116746.ico b/resources/invalid_images/b38116746.ico
new file mode 100644
index 0000000000..35ee5b5a28
--- /dev/null
+++ b/resources/invalid_images/b38116746.ico
Binary files differ
diff --git a/src/codec/SkIcoCodec.cpp b/src/codec/SkIcoCodec.cpp
index 9ea092efc0..9d424f3e4e 100644
--- a/src/codec/SkIcoCodec.cpp
+++ b/src/codec/SkIcoCodec.cpp
@@ -128,11 +128,18 @@ SkCodec* SkIcoCodec::NewFromStream(SkStream* stream) {
bytesRead = offset;
// Create a new stream for the embedded codec
- sk_sp<SkData> data(SkData::MakeFromStream(inputStream.get(), size));
- if (nullptr == data.get()) {
+ SkAutoFree buffer(sk_malloc_flags(size, 0));
+ if (!buffer) {
+ SkCodecPrintf("Warning: OOM trying to create embedded stream.\n");
+ break;
+ }
+
+ if (inputStream->read(buffer.get(), size) != size) {
SkCodecPrintf("Warning: could not create embedded stream.\n");
break;
}
+
+ sk_sp<SkData> data(SkData::MakeFromMalloc(buffer.release(), size));
std::unique_ptr<SkMemoryStream> embeddedStream(new SkMemoryStream(data));
bytesRead += size;
diff --git a/tests/BadIcoTest.cpp b/tests/BadIcoTest.cpp
index 229e9bc44e..670c2ac311 100644
--- a/tests/BadIcoTest.cpp
+++ b/tests/BadIcoTest.cpp
@@ -24,6 +24,7 @@ DEF_TEST(BadImage, reporter) {
"ico_fuzz1.ico",
"skbug3442.webp",
"skbug3429.webp",
+ "b38116746.ico",
};
const char* badImagesFolder = "invalid_images";