diff options
| author |  raftias <raftias@google.com> | 2016-09-29 14:31:44 -0400 |
|---|---|---|
| committer |  Skia Commit-Bot <skia-commit-bot@chromium.org> | 2016-09-29 18:59:53 +0000 |
| commit | c6cc28c35be30f9ea144f433f3f04273674e29ed (patch) | |
| tree | 8bc434df227d9c3c8e450c993f43ba92bcff517e | |
| parent | fa9f241a85c55c32a3fe2ae0324811de998f7a2e (diff) | |
Fixed invalid memory access issue in SkColorSpaceXform::apply()
Passing in a large buffer along with a source colour space that
used a CLUT would cause apply() to read freed heap memory, or
for smaller buffers read possibly re-used stack memory.
The code previously likely lucked out due to optimizations
removing most or all of the subsequent stack allocations.
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2759
Change-Id: I39f357bce080c4d737a83dd019f0d1ccbc56f995
Reviewed-on: https://skia-review.googlesource.com/2759
Commit-Queue: Robert Aftias <raftias@google.com>
Reviewed-by: Matt Sarett <msarett@google.com>
| -rw-r--r-- | src/core/SkColorSpaceXform.cpp | 12 | ||||
| -rw-r--r-- | tests/ColorSpaceXformTest.cpp | 21 |
2 files changed, 27 insertions, 6 deletions
diff --git a/src/core/SkColorSpaceXform.cpp b/src/core/SkColorSpaceXform.cpp index 6f2f75b8b1..1c0dd880e7 100644 --- a/src/core/SkColorSpaceXform.cpp +++ b/src/core/SkColorSpaceXform.cpp @@ -1353,15 +1353,15 @@ const } } - if (fColorLUT) { - size_t storageBytes = len * sizeof(uint32_t); #if defined(GOOGLE3) - // Stack frame size is limited in GOOGLE3. - SkAutoSMalloc<256 * sizeof(uint32_t)> storage(storageBytes); + // Stack frame size is limited in GOOGLE3. + SkAutoSMalloc<256 * sizeof(uint32_t)> storage; #else - SkAutoSMalloc<1024 * sizeof(uint32_t)> storage(storageBytes); + SkAutoSMalloc<1024 * sizeof(uint32_t)> storage; #endif - + if (fColorLUT) { + size_t storageBytes = len * sizeof(uint32_t); + storage.reset(storageBytes); handle_color_lut((uint32_t*) storage.get(), src, len, fColorLUT.get()); src = (const uint32_t*) storage.get(); } diff --git a/tests/ColorSpaceXformTest.cpp b/tests/ColorSpaceXformTest.cpp index 0f74713c82..ed990fc6c4 100644 --- a/tests/ColorSpaceXformTest.cpp +++ b/tests/ColorSpaceXformTest.cpp @@ -164,3 +164,24 @@ DEF_TEST(ColorSpaceXform_NonMatchingGamma, r) { test_identity_xform(r, gammas); } + +DEF_TEST(ColorSpaceXform_applyCLUTMemoryAccess, r) { + // buffers larger than 1024 (or 256 in GOOGLE3) will force ColorSpaceXform_Base::apply() + // to heap-allocate a buffer that is used for CLUT application, and this test is here to + // ensure that it no longer causes potential invalid memory accesses when this happens + const size_t len = 2048; + SkAutoTMalloc<uint32_t> src(len); + SkAutoTMalloc<uint32_t> dst(len); + for (uint32_t i = 0; i < len; ++i) { + src[i] = i; + } + // this ICC profile has a CLUT in it + const SkString filename(GetResourcePath("icc_profiles/upperRight.icc")); + sk_sp<SkData> iccData = SkData::MakeFromFileName(filename.c_str()); + REPORTER_ASSERT_MESSAGE(r, iccData, "upperRight.icc profile required for test"); + sk_sp<SkColorSpace> srcSpace = SkColorSpace::NewICC(iccData->bytes(), iccData->size()); + sk_sp<SkColorSpace> dstSpace = SkColorSpace::NewNamed(SkColorSpace::kSRGB_Named); + auto xform = SkColorSpaceXform::New(srcSpace.get(), dstSpace.get()); + xform->apply(dst.get(), src.get(), len, SkColorSpaceXform::kRGBA_8888_ColorFormat, + SkColorSpaceXform::kRGBA_8888_ColorFormat, kUnpremul_SkAlphaType); +} |