diff options
author | 2013-12-04 17:06:49 +0000 | |
---|---|---|
committer | 2013-12-04 17:06:49 +0000 | |
commit | cd3b15ca6364a04b0eeeb4f89c7daa8aefe854c8 (patch) | |
tree | a8153f3f6fcd156fec3d8d46555c2d81c1e90b67 /src/core/SkBitmap.cpp | |
parent | 2b7d4639901e03a43278dfec0b949bc4535b90e2 (diff) |
Fixed bad bitmap size crashes
There were 2 issues :
1 ) If the size of an SkBitmap's underlying SkPixelRef's alocated memory is too small to fit the bitmap, then the deserialization will now check this and set an error appropriately.
2 ) If a device fails to allocate its pixels, the device will be deleted and NULL will be returned to avoid attempting to draw on a bad device.
BUG=
R=senorblanco@chromium.org, reed@google.com, sugoi@google.com, halcanary@google.com, mtklein@google.com
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/92793002
git-svn-id: http://skia.googlecode.com/svn/trunk@12484 2bbb7eff-a529-9590-31e7-b0007b416f81
Diffstat (limited to 'src/core/SkBitmap.cpp')
-rw-r--r-- | src/core/SkBitmap.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/core/SkBitmap.cpp b/src/core/SkBitmap.cpp index 9d4aa87c85..ad840c4390 100644 --- a/src/core/SkBitmap.cpp +++ b/src/core/SkBitmap.cpp @@ -1560,6 +1560,7 @@ void SkBitmap::unflatten(SkFlattenableReadBuffer& buffer) { SkIsValidConfig(config) && validate_alphaType(config, alphaType)); this->setConfig(config, width, height, rowBytes, alphaType); + buffer.validate(fRowBytes >= (fWidth * fBytesPerPixel)); int reftype = buffer.readInt(); if (buffer.validate((SERIALIZE_PIXELTYPE_REF_DATA == reftype) || @@ -1568,6 +1569,10 @@ void SkBitmap::unflatten(SkFlattenableReadBuffer& buffer) { case SERIALIZE_PIXELTYPE_REF_DATA: { size_t offset = buffer.readUInt(); SkPixelRef* pr = buffer.readPixelRef(); + if (!buffer.validate((NULL == pr) || + (pr->getAllocatedSizeInBytes() >= (offset + this->getSafeSize())))) { + offset = 0; + } SkSafeUnref(this->setPixelRef(pr, offset)); break; } |