diff options
| author |  ajuma <ajuma@chromium.org> | 2016-02-02 06:14:47 -0800 |
|---|---|---|
| committer |  Commit bot <commit-bot@chromium.org> | 2016-02-02 06:14:47 -0800 |
| commit | 0735de67c8a0812ae2fd103ae1bd7f2157c6a0b2 (patch) | |
| tree | 6c34796ec00a8f6d021f93e457097ecf5a180070 /src/core/SkPathRef.cpp | |
| parent | 2ac722f1f8b675eebc89ca1c2d7d44cfc887b58a (diff) | |
Fix fuzzer-found deserialization bug in SkPathRef
This fixes a bug in SkPathRef::CreateFromBuffer found by
fuzzing SkPaintImageFilter.
BUG=582705
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1653003004
Review URL: https://codereview.chromium.org/1653003004
Diffstat (limited to 'src/core/SkPathRef.cpp')
| -rw-r--r-- | src/core/SkPathRef.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/core/SkPathRef.cpp b/src/core/SkPathRef.cpp index cf4e8ffba2..49a04999ac 100644 --- a/src/core/SkPathRef.cpp +++ b/src/core/SkPathRef.cpp @@ -9,6 +9,7 @@ #include "SkOncePtr.h" #include "SkPath.h" #include "SkPathRef.h" +#include <limits> ////////////////////////////////////////////////////////////////////////////// SkPathRef::Editor::Editor(SkAutoTUnref<SkPathRef>* pathRef, @@ -136,11 +137,16 @@ SkPathRef* SkPathRef::CreateFromBuffer(SkRBuffer* buffer) { bool isRRect = (packed >> kIsRRect_SerializationShift) & 1; int32_t verbCount, pointCount, conicCount; + ptrdiff_t maxPtrDiff = std::numeric_limits<ptrdiff_t>::max(); if (!buffer->readU32(&(ref->fGenerationID)) || !buffer->readS32(&verbCount) || verbCount < 0 || + static_cast<uint32_t>(verbCount) > maxPtrDiff/sizeof(uint8_t) || !buffer->readS32(&pointCount) || pointCount < 0 || + static_cast<uint32_t>(pointCount) > maxPtrDiff/sizeof(SkPoint) || + sizeof(uint8_t) * verbCount + sizeof(SkPoint) * pointCount > + static_cast<size_t>(maxPtrDiff) || !buffer->readS32(&conicCount) || conicCount < 0) { delete ref; |