diff options
author | robertphillips <robertphillips@google.com> | 2016-06-28 09:04:34 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-06-28 09:04:34 -0700 |
commit | 74139f1b49d02b38006170c3e50439c1b33b175f (patch) | |
tree | 3cd0f91864e139eb5fc413b013142979b3f8242d | |
parent | ab527a5bbfb1eae4f99a1435d349a44d00477d82 (diff) |
Address two fuzzer bugs:
SkImageInfos that were made invalid weren't being caught
Messing with the size of a SAVE record wasn't being caught
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2104973003
Review-Url: https://codereview.chromium.org/2104973003
-rw-r--r-- | src/core/SkBitmap.cpp | 6 | ||||
-rw-r--r-- | src/core/SkPicturePlayback.cpp | 5 |
2 files changed, 7 insertions, 4 deletions
diff --git a/src/core/SkBitmap.cpp b/src/core/SkBitmap.cpp index 8cb8e4d6fc..863169c458 100644 --- a/src/core/SkBitmap.cpp +++ b/src/core/SkBitmap.cpp @@ -1145,8 +1145,10 @@ bool SkBitmap::ReadRawPixels(SkReadBuffer* buffer, SkBitmap* bitmap) { SkImageInfo info; info.unflatten(*buffer); - // If there was an error reading "info", don't use it to compute minRowBytes() - if (!buffer->validate(true)) { + // If there was an error reading "info" or if it is bogus, + // don't use it to compute minRowBytes() + if (!buffer->validate(SkColorTypeValidateAlphaType(info.colorType(), + info.alphaType()))) { return false; } diff --git a/src/core/SkPicturePlayback.cpp b/src/core/SkPicturePlayback.cpp index 36d385c095..3cbcdbbd2f 100644 --- a/src/core/SkPicturePlayback.cpp +++ b/src/core/SkPicturePlayback.cpp @@ -543,8 +543,9 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader, case SAVE: // SKPs with version < 29 also store a SaveFlags param. if (size > 4) { - SkASSERT(8 == size); - reader->readInt(); + if (reader->validate(8 == size)) { + reader->readInt(); + } } canvas->save(); break; |