diff options
author | 2014-11-12 09:25:25 -0800 | |
---|---|---|
committer | 2014-11-12 09:25:25 -0800 | |
commit | ac6a2f964ee9821df6a4a8f3c46796322a4c37b8 (patch) | |
tree | 1ad3c2f0fad361dc2285d388b77fdf591b029089 /src/core/SkPictureData.cpp | |
parent | 257bf0f6f7b0c4f55e6eb9e0fa1290cd5c2fcf9f (diff) |
detect bad bitmaps during deserialization
BUG=skia:3117
Review URL: https://codereview.chromium.org/718103002
Diffstat (limited to 'src/core/SkPictureData.cpp')
-rw-r--r-- | src/core/SkPictureData.cpp | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/src/core/SkPictureData.cpp b/src/core/SkPictureData.cpp index 0ccb7764c4..556e2a5d90 100644 --- a/src/core/SkPictureData.cpp +++ b/src/core/SkPictureData.cpp @@ -392,6 +392,7 @@ bool SkPictureData::parseStreamTag(SkStream* stream, return false; } + /* Should we use SkValidatingReadBuffer instead? */ SkReadBuffer buffer(storage.get(), size); buffer.setFlags(pictInfoFlagsToReadBufferFlags(fInfo.fFlags)); buffer.setVersion(fInfo.fVersion); @@ -400,13 +401,16 @@ bool SkPictureData::parseStreamTag(SkStream* stream, fTFPlayback.setupBuffer(buffer); buffer.setBitmapDecoder(proc); - while (!buffer.eof()) { + while (!buffer.eof() && buffer.isValid()) { tag = buffer.readUInt(); size = buffer.readUInt(); if (!this->parseBufferTag(buffer, tag, size)) { return false; } } + if (!buffer.isValid()) { + return false; + } SkDEBUGCODE(haveBuffer = true;) } break; } @@ -421,8 +425,11 @@ bool SkPictureData::parseBufferTag(SkReadBuffer& buffer, fBitmaps = SkTRefArray<SkBitmap>::Create(size); for (int i = 0; i < count; ++i) { SkBitmap* bm = &fBitmaps->writableAt(i); - buffer.readBitmap(bm); - bm->setImmutable(); + if (buffer.readBitmap(bm)) { + bm->setImmutable(); + } else { + return false; + } } } break; case SK_PICT_PAINT_BUFFER_TAG: { |