Fix unchecked allocation in kImageFilter::Common::unflatten()

The bad news is we don't have a good way to validate the count against
the available data size.

The good news is we don't have to: most filters only use two inputs,
which will fit in the stack-reserved storage; for those who don't,
growing the input vector during deserialization should not be
problematic.

The CL drops the prea-allocation, and instead appends inputs iteratively.
Also switches the storage to SkSTArray for append/push_back() support.

Bug: oss-fuzz:8219
Change-Id: Ic6bf6e435e6e18b9e026aeb393612210c9e6e57a
Reviewed-on: https://skia-review.googlesource.com/127306
Commit-Queue: Florin Malita <fmalita@chromium.org>
Reviewed-by: Mike Reed <reed@google.com>

1 files changed, 3 insertions, 5 deletions

diff --git a/include/core/SkImageFilter.h b/include/core/SkImageFilter.h
index 094e67b394..84389b4b5a 100644
--- a/include/core/SkImageFilter.h
+++ b/include/core/SkImageFilter.h
@@ -264,16 +264,14 @@ protected:
 
         const CropRect& cropRect() const { return fCropRect; }
         int             inputCount() const { return fInputs.count(); }
-        sk_sp<SkImageFilter>* inputs() const { return fInputs.get(); }
+        sk_sp<SkImageFilter>* inputs() { return fInputs.begin(); }
 
-        sk_sp<SkImageFilter>  getInput(int index) const { return fInputs[index]; }
+        sk_sp<SkImageFilter> getInput(int index) { return fInputs[index]; }
 
     private:
         CropRect fCropRect;
         // most filters accept at most 2 input-filters
-        SkAutoSTArray<2, sk_sp<SkImageFilter>> fInputs;
-
-        void allocInputs(int count);
+        SkSTArray<2, sk_sp<SkImageFilter>, true> fInputs;
     };
 
     SkImageFilter(sk_sp<SkImageFilter> const* inputs, int inputCount, const CropRect* cropRect);