diff options
author | Kevin Lubick <kjlubick@google.com> | 2018-05-18 11:32:33 -0400 |
---|---|---|
committer | Skia Commit-Bot <skia-commit-bot@chromium.org> | 2018-05-18 16:33:54 +0000 |
commit | 160e93dc19cb498dd846f5ad7b1fd810910c7465 (patch) | |
tree | b63ed98171e862728017be28568b2e54a13e0078 | |
parent | 832aa11e909ac6fdb38c35ec77e4e4fc6fbf286a (diff) |
Prevent SkMatrixConvolutionImageFilter from allocating large buffers it can't fill
Bug: skia:7937
Change-Id: I71a5673939b3d91864a4b788e1e3a520b0ee04dd
Reviewed-on: https://skia-review.googlesource.com/129179
Reviewed-by: Mike Klein <mtklein@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
-rw-r--r-- | src/effects/SkMatrixConvolutionImageFilter.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/effects/SkMatrixConvolutionImageFilter.cpp b/src/effects/SkMatrixConvolutionImageFilter.cpp index 2119a8b108..153c6f4c48 100644 --- a/src/effects/SkMatrixConvolutionImageFilter.cpp +++ b/src/effects/SkMatrixConvolutionImageFilter.cpp @@ -90,6 +90,9 @@ sk_sp<SkFlattenable> SkMatrixConvolutionImageFilter::CreateProc(SkReadBuffer& bu if (!buffer.validate(kernelArea == count)) { return nullptr; } + if (!buffer.validateCanReadN<SkScalar>(count)) { + return nullptr; + } SkAutoSTArray<16, SkScalar> kernel(count); if (!buffer.readScalarArray(kernel.get(), count)) { return nullptr; @@ -103,6 +106,9 @@ sk_sp<SkFlattenable> SkMatrixConvolutionImageFilter::CreateProc(SkReadBuffer& bu TileMode tileMode = buffer.read32LE(kLast_TileMode); bool convolveAlpha = buffer.readBool(); + if (!buffer.isValid()) { + return nullptr; + } return Make(kernelSize, kernel.get(), gain, bias, kernelOffset, tileMode, convolveAlpha, common.getInput(0), &common.cropRect()); } |