diff options
author | Leon Scroggins III <scroggo@google.com> | 2018-02-13 16:41:03 -0500 |
---|---|---|
committer | Skia Commit-Bot <skia-commit-bot@chromium.org> | 2018-02-13 22:05:53 +0000 |
commit | fee7cbaf44553dda1a0dd4bfc87a1dfc0d7dd369 (patch) | |
tree | bb2150dcf14cba34c4f1d6c31c7d3dc3930afacd | |
parent | ffdf3ec88065d43004100a55cffca2d0c6875b38 (diff) |
Check the length of marker before reading it
Bug: os-fuzz:6295
Change-Id: I0ea9a3c54d61d41f21f2e9b945ab83fa2beb00d8
Reviewed-on: https://skia-review.googlesource.com/107025
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Leon Scroggins <scroggo@google.com>
-rw-r--r-- | resources/invalid_images/osfuzz6295.webp | bin | 0 -> 48 bytes | |||
-rw-r--r-- | src/codec/SkJpegCodec.cpp | 3 | ||||
-rw-r--r-- | tests/CodecTest.cpp | 13 |
3 files changed, 12 insertions, 4 deletions
diff --git a/resources/invalid_images/osfuzz6295.webp b/resources/invalid_images/osfuzz6295.webp Binary files differnew file mode 100644 index 0000000000..bb20aba1a7 --- /dev/null +++ b/resources/invalid_images/osfuzz6295.webp diff --git a/src/codec/SkJpegCodec.cpp b/src/codec/SkJpegCodec.cpp index d2c023b437..4f48886be2 100644 --- a/src/codec/SkJpegCodec.cpp +++ b/src/codec/SkJpegCodec.cpp @@ -62,7 +62,8 @@ static bool is_orientation_marker(jpeg_marker_struct* marker, SkEncodedOrigin* o bool is_orientation_marker(const uint8_t* data, size_t data_length, SkEncodedOrigin* orientation) { bool littleEndian; - if (!is_valid_endian_marker(data, &littleEndian)) { + // We need eight bytes to read the endian marker and the offset, below. + if (data_length < 8 || !is_valid_endian_marker(data, &littleEndian)) { return false; } diff --git a/tests/CodecTest.cpp b/tests/CodecTest.cpp index df94547600..8172751cf6 100644 --- a/tests/CodecTest.cpp +++ b/tests/CodecTest.cpp @@ -621,14 +621,20 @@ DEF_TEST(Codec_Dimensions, r) { } static void test_invalid(skiatest::Reporter* r, const char path[]) { - std::unique_ptr<SkStream> stream(GetResourceAsStream(path)); - if (!stream) { + auto data = GetResourceAsData(path); + if (!data) { + ERRORF(r, "Failed to get resources %s", path); return; } - REPORTER_ASSERT(r, !SkCodec::MakeFromStream(std::move(stream))); + + REPORTER_ASSERT(r, !SkCodec::MakeFromData(data)); } DEF_TEST(Codec_Empty, r) { + if (GetResourcePath().isEmpty()) { + return; + } + // Test images that should not be able to create a codec test_invalid(r, "empty_images/zero-dims.gif"); test_invalid(r, "empty_images/zero-embedded.ico"); @@ -648,6 +654,7 @@ DEF_TEST(Codec_Empty, r) { test_invalid(r, "empty_images/zero_height.tiff"); #endif test_invalid(r, "invalid_images/b37623797.ico"); + test_invalid(r, "invalid_images/osfuzz6295.webp"); } #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED |