diff options
| author |  Mike Reed <reed@google.com> | 2018-01-23 11:50:25 -0500 |
|---|---|---|
| committer |  Skia Commit-Bot <skia-commit-bot@chromium.org> | 2018-01-23 18:28:47 +0000 |
| commit | 165fa634b7619f5a9e04eb5735ab0ec2c0776c42 (patch) | |
| tree | 32250d76850a2158c2147ab2457c39d852bfe003 | |
| parent | b4e965c103c3140f0072949343befb34bceadc96 (diff) | |
check for valid vertices mode
Bug: skia:7512
Change-Id: I2ede2232f3807e7bad8562eb3bf6327ffc52a996
Reviewed-on: https://skia-review.googlesource.com/98760
Reviewed-by: Mike Reed <reed@google.com>
Commit-Queue: Mike Reed <reed@google.com>
| -rw-r--r-- | include/core/SkVertices.h | 2 | ||||
| -rw-r--r-- | src/core/SkVertices.cpp | 7 |
2 files changed, 7 insertions, 2 deletions
diff --git a/include/core/SkVertices.h b/include/core/SkVertices.h index 13aab5b3a8..db1764e57e 100644 --- a/include/core/SkVertices.h +++ b/include/core/SkVertices.h @@ -23,6 +23,8 @@ public: kTriangles_VertexMode, kTriangleStrip_VertexMode, kTriangleFan_VertexMode, + + kLast_VertexMode = kTriangleFan_VertexMode, }; /** diff --git a/src/core/SkVertices.cpp b/src/core/SkVertices.cpp index fcec6e2810..08edca08fe 100644 --- a/src/core/SkVertices.cpp +++ b/src/core/SkVertices.cpp @@ -10,6 +10,7 @@ #include "SkData.h" #include "SkReader32.h" #include "SkSafeMath.h" +#include "SkSafeRange.h" #include "SkWriter32.h" static int32_t gNextID = 1; @@ -195,16 +196,18 @@ sk_sp<SkVertices> SkVertices::Decode(const void* data, size_t length) { } SkReader32 reader(data, length); + SkSafeRange safe; const uint32_t packed = reader.readInt(); const int vertexCount = reader.readInt(); const int indexCount = reader.readInt(); - const VertexMode mode = static_cast<VertexMode>(packed & kMode_Mask); + const VertexMode mode = safe.checkLE<VertexMode>(packed & kMode_Mask, + SkVertices::kLast_VertexMode); const bool hasTexs = SkToBool(packed & kHasTexs_Mask); const bool hasColors = SkToBool(packed & kHasColors_Mask); Sizes sizes(vertexCount, indexCount, hasTexs, hasColors); - if (!sizes.isValid()) { + if (!sizes.isValid() || !safe) { return nullptr; } // logically we can be only 2-byte aligned, but our buffer is always 4-byte aligned |