diff options
author | gogil <gogil@stealien.com> | 2016-08-14 02:12:40 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-08-14 02:12:40 -0700 |
commit | 40ff5fe59b77b0b3e34467cc2f8666e4e88356f9 (patch) | |
tree | 2e9f72cf71f6f8b495c382f695e5bc8142f45940 /src/core/SkColorSpace_ICC.cpp | |
parent | 1e4a389dbf7ea02ae5daa8db7bd9e21899953e7b (diff) |
Prevent overflows when using gamma_alloc_size
BUG=636268
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2230163002
Review-Url: https://codereview.chromium.org/2230163002
Diffstat (limited to 'src/core/SkColorSpace_ICC.cpp')
-rwxr-xr-x[-rw-r--r--] | src/core/SkColorSpace_ICC.cpp | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/src/core/SkColorSpace_ICC.cpp b/src/core/SkColorSpace_ICC.cpp index f8ad47a6cd..e28a7464aa 100644..100755 --- a/src/core/SkColorSpace_ICC.cpp +++ b/src/core/SkColorSpace_ICC.cpp @@ -787,7 +787,9 @@ static bool load_a2b0(sk_sp<SkColorLookUpTable>* colorLUT, SkColorSpace::GammaNa if (SkGammas::Type::kNamed_Type == rType) { *gammaNamed = rData.fNamed; } else { - size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(rType, rData); + size_t allocSize = sizeof(SkGammas); + return_if_false(safe_add(allocSize, gamma_alloc_size(rType, rData), &allocSize), + "SkGammas struct is too large to allocate"); void* memory = sk_malloc_throw(allocSize); *gammas = sk_sp<SkGammas>(new (memory) SkGammas()); load_gammas(memory, 0, rType, &rData, rParams, rTagPtr); @@ -819,9 +821,13 @@ static bool load_a2b0(sk_sp<SkColorLookUpTable>* colorLUT, SkColorSpace::GammaNa tagLen); handle_invalid_gamma(&bType, &bData); - size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(rType, rData) - + gamma_alloc_size(gType, gData) - + gamma_alloc_size(bType, bData); + size_t allocSize = sizeof(SkGammas); + return_if_false(safe_add(allocSize, gamma_alloc_size(rType, rData), &allocSize), + "SkGammas struct is too large to allocate"); + return_if_false(safe_add(allocSize, gamma_alloc_size(gType, gData), &allocSize), + "SkGammas struct is too large to allocate"); + return_if_false(safe_add(allocSize, gamma_alloc_size(bType, bData), &allocSize), + "SkGammas struct is too large to allocate"); void* memory = sk_malloc_throw(allocSize); *gammas = sk_sp<SkGammas>(new (memory) SkGammas()); @@ -970,7 +976,10 @@ sk_sp<SkColorSpace> SkColorSpace::NewICC(const void* input, size_t len) { if (SkGammas::Type::kNamed_Type == type) { gammaNamed = data.fNamed; } else { - size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(type, data); + size_t allocSize = sizeof(SkGammas); + if (!safe_add(allocSize, gamma_alloc_size(type, data), &allocSize)) { + return_null("SkGammas struct is too large to allocate"); + } void* memory = sk_malloc_throw(allocSize); gammas = sk_sp<SkGammas>(new (memory) SkGammas()); load_gammas(memory, 0, type, &data, params, r->addr(base)); @@ -1002,9 +1011,13 @@ sk_sp<SkColorSpace> SkColorSpace::NewICC(const void* input, size_t len) { parse_gamma(&bData, &bParams, &tagBytes, b->addr(base), b->fLength); handle_invalid_gamma(&bType, &bData); - size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(rType, rData) - + gamma_alloc_size(gType, gData) - + gamma_alloc_size(bType, bData); + size_t allocSize = sizeof(SkGammas); + if (!safe_add(allocSize, gamma_alloc_size(rType, rData), &allocSize) || + !safe_add(allocSize, gamma_alloc_size(gType, gData), &allocSize) || + !safe_add(allocSize, gamma_alloc_size(bType, bData), &allocSize)) + { + return_null("SkGammas struct is too large to allocate"); + } void* memory = sk_malloc_throw(allocSize); gammas = sk_sp<SkGammas>(new (memory) SkGammas()); |