diff options
| author |  Leon Scroggins III <scroggo@google.com> | 2017-09-28 14:33:57 -0400 |
|---|---|---|
| committer |  Skia Commit-Bot <skia-commit-bot@chromium.org> | 2017-09-28 19:51:32 +0000 |
| commit | 4cdbf6056de29e8c12c3b1b4c2c2fa286cf68049 (patch) | |
| tree | a01bcff9249a9b5daada122ea46c8c7b21aef63b | |
| parent | c3269aea5ba61a0c2228b029c7626802474825f4 (diff) | |
Avoid uninitialized memory in readByteArrayAsData
Bug: 769134
readByteArray can fail (due to not having enough available or due to the
wrong alignment). If it does, do not return an uninitialized block of
memory.
Further, drop the initial size check, which is covered by readByteArray.
Add a test.
Change-Id: Ia101697c5bb1ca3ae3df1795f37a74b2f602797d
Reviewed-on: https://skia-review.googlesource.com/52742
Reviewed-by: Mike Reed <reed@google.com>
Commit-Queue: Leon Scroggins <scroggo@google.com>
| -rw-r--r-- | resources/crbug769134.fil | bin | 0 -> 440 bytes | |||
| -rw-r--r-- | src/core/SkReadBuffer.h | 6 | ||||
| -rw-r--r-- | tests/ImageFilterTest.cpp | 13 |
3 files changed, 16 insertions, 3 deletions
diff --git a/resources/crbug769134.fil b/resources/crbug769134.fil Binary files differnew file mode 100644 index 0000000000..a8a79e8506 --- /dev/null +++ b/resources/crbug769134.fil diff --git a/src/core/SkReadBuffer.h b/src/core/SkReadBuffer.h index 0653ab6865..980e8cf80f 100644 --- a/src/core/SkReadBuffer.h +++ b/src/core/SkReadBuffer.h @@ -165,11 +165,11 @@ public: sk_sp<SkData> readByteArrayAsData() { size_t len = this->getArrayCount(); - if (!this->validateAvailable(len)) { + void* buffer = sk_malloc_throw(len); + if (!this->readByteArray(buffer, len)) { + sk_free(buffer); return SkData::MakeEmpty(); } - void* buffer = sk_malloc_throw(len); - this->readByteArray(buffer, len); return SkData::MakeFromMalloc(buffer, len); } diff --git a/tests/ImageFilterTest.cpp b/tests/ImageFilterTest.cpp index db269f00e8..c39cc2ee83 100644 --- a/tests/ImageFilterTest.cpp +++ b/tests/ImageFilterTest.cpp @@ -38,6 +38,7 @@ #include "SkTableColorFilter.h" #include "SkTileImageFilter.h" #include "SkXfermodeImageFilter.h" +#include "Resources.h" #include "Test.h" #include "sk_tool_utils.h" @@ -1717,6 +1718,18 @@ DEF_TEST(ImageFilterImageSourceSerialization, reporter) { REPORTER_ASSERT(reporter, *bm.getAddr32(0, 0) == SkPreMultiplyColor(SK_ColorGREEN)); } +DEF_TEST(ImageFilterImageSourceUninitialized, r) { + sk_sp<SkData> data(GetResourceAsData("crbug769134.fil")); + if (!data) { + return; + } + sk_sp<SkImageFilter> unflattenedFilter = SkValidatingDeserializeImageFilter(data->data(), + data->size()); + // This will fail. More importantly, msan will verify that we did not + // compare against uninitialized memory. + REPORTER_ASSERT(r, !unflattenedFilter); +} + static void test_large_blur_input(skiatest::Reporter* reporter, SkCanvas* canvas) { SkBitmap largeBmp; int largeW = 5000; |