Fixed bad bitmap size crashes

There were 2 issues : 1 ) If the size of an SkBitmap's underlying SkPixelRef's alocated memory is too small to fit the bitmap, then the deserialization will now check this and set an error appropriately. 2 ) If a device fails to allocate its pixels, the device will be deleted and NULL will be returned to avoid attempting to draw on a bad device. BUG= R=senorblanco@chromium.org, reed@google.com, sugoi@google.com, halcanary@google.com, mtklein@google.com Author: sugoi@chromium.org Review URL: https://codereview.chromium.org/92793002 git-svn-id: http://skia.googlecode.com/svn/trunk@12484 2bbb7eff-a529-9590-31e7-b0007b416f81
author: commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> 2013-12-04 17:06:49 +0000
committer: commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> 2013-12-04 17:06:49 +0000
commit: cd3b15ca6364a04b0eeeb4f89c7daa8aefe854c8 (patch)
tree: a8153f3f6fcd156fec3d8d46555c2d81c1e90b67 /samplecode
parent: 2b7d4639901e03a43278dfec0b949bc4535b90e2 (diff)
1 files changed, 39 insertions, 10 deletions
diff --git a/samplecode/SampleFilterFuzz.cpp b/samplecode/SampleFilterFuzz.cpp
index 3e3436f448..d15c6ebc90 100644
--- a/samplecode/SampleFilterFuzz.cpp
+++ b/samplecode/SampleFilterFuzz.cpp
@@ -25,10 +25,13 @@
 #include "SkPerlinNoiseShader.h"
 #include "SkRandom.h"
 #include "SkRectShaderImageFilter.h"
+#include "SkTileImageFilter.h"
 #include "SkView.h"
 #include "SkXfermodeImageFilter.h"
+#include <stdio.h>
+#include <time.h>
 
-static const uint32_t kSeed = 1;
+static const uint32_t kSeed = (uint32_t)(time(NULL));
 static SkRandom gRand(kSeed);
 static bool return_large = false;
 static bool return_undef = false;
@@ -83,9 +86,9 @@ static SkScalar make_scalar(bool positiveOnly = false) {
     return make_number(positiveOnly);
 }
 
-static SkRect make_rect(int offset = 1) {
-    return SkRect::MakeWH(SkIntToScalar(R(static_cast<float>(kBitmapSize))+offset),
-                          SkIntToScalar(R(static_cast<float>(kBitmapSize))+offset));
+static SkRect make_rect() {
+    return SkRect::MakeWH(SkIntToScalar(R(static_cast<float>(kBitmapSize))),
+                          SkIntToScalar(R(static_cast<float>(kBitmapSize))));
 }
 
 static SkXfermode::Mode make_xfermode() {
@@ -163,7 +166,7 @@ static SkImageFilter* make_image_filter(bool canBeNull = true) {
 
     enum { BICUBIC, MERGE, COLOR, BLUR, MAGNIFIER, XFERMODE, OFFSET, COMPOSE,
            DISTANT_LIGHT, POINT_LIGHT, SPOT_LIGHT, NOISE, DROP_SHADOW,
-           MORPHOLOGY, BITMAP, DISPLACE, NUM_FILTERS };
+           MORPHOLOGY, BITMAP, DISPLACE, TILE, NUM_FILTERS };
 
     switch (R(NUM_FILTERS)) {
     case BICUBIC:
@@ -185,7 +188,7 @@ static SkImageFilter* make_image_filter(bool canBeNull = true) {
         filter = new SkBlurImageFilter(make_scalar(true), make_scalar(true), make_image_filter());
         break;
     case MAGNIFIER:
-        filter = new SkMagnifierImageFilter(make_rect(0), make_scalar(true));
+        filter = new SkMagnifierImageFilter(make_rect(), make_scalar(true));
         break;
     case XFERMODE:
     {
@@ -256,6 +259,9 @@ static SkImageFilter* make_image_filter(bool canBeNull = true) {
                      make_channel_selector_type(), make_scalar(),
                      make_image_filter(false), make_image_filter());
         break;
+    case TILE:
+        filter = new SkTileImageFilter(make_rect(), make_rect(), make_image_filter(false));
+        break;
     default:
         break;
     }
@@ -270,14 +276,27 @@ static SkImageFilter* make_serialized_image_filter() {
 #ifdef SK_ADD_RANDOM_BIT_FLIPS
     unsigned char* p = const_cast<unsigned char*>(ptr);
     for (size_t i = 0; i < len; ++i, ++p) {
-        if ((R(1000) == 1)) { // 0.1% of the time, flip a bit
-            *p ^= (1 << R(8));
+        if (R(250) == 1) { // 0.4% of the time, flip a bit or byte
+            if (R(10) == 1) { // Then 10% of the time, change a whole byte
+                switch(R(3)) {
+                case 0:
+                    *p ^= 0xFF; // Flip entire byte
+                    break;
+                case 1:
+                    *p = 0xFF; // Set all bits to 1
+                    break;
+                case 2:
+                    *p = 0x00; // Set all bits to 0
+                    break;
+                }
+            } else {
+                *p ^= (1 << R(8));
+            }
         }
     }
 #endif // SK_ADD_RANDOM_BIT_FLIPS
     SkFlattenable* flattenable = SkValidatingDeserializeFlattenable(ptr, len,
                                     SkImageFilter::GetFlattenableType());
-    SkASSERT(NULL != flattenable);
     return static_cast<SkImageFilter*>(flattenable);
 }
 
@@ -290,8 +309,18 @@ static void drawClippedBitmap(SkCanvas* canvas, int x, int y, const SkPaint& pai
 }
 
 static void do_fuzz(SkCanvas* canvas) {
+#ifdef SK_FUZZER_IS_VERBOSE
+    static uint32_t filterId = 0;
+    if (0 == filterId) {
+        printf("Fuzzing with %u\n", kSeed);
+    }
+    printf("Filter no %u\r", filterId);
+    fflush(stdout);
+    filterId++;
+#endif
+
     SkPaint paint;
-    paint.setImageFilter(make_serialized_image_filter())->unref();
+    SkSafeUnref(paint.setImageFilter(make_serialized_image_filter()));
     drawClippedBitmap(canvas, 0, 0, paint);
 }
author	commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81>	2013-12-04 17:06:49 +0000
committer	commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81>	2013-12-04 17:06:49 +0000
commit	cd3b15ca6364a04b0eeeb4f89c7daa8aefe854c8 (patch)
tree	a8153f3f6fcd156fec3d8d46555c2d81c1e90b67 /samplecode
parent	2b7d4639901e03a43278dfec0b949bc4535b90e2 (diff)