Address two fuzzer bugs:

SkImageInfos that were made invalid weren't being caught Messing with the size of a SAVE record wasn't being caught GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2104973003 Review-Url: https://codereview.chromium.org/2104973003
author: robertphillips <robertphillips@google.com> 2016-06-28 09:04:34 -0700
committer: Commit bot <commit-bot@chromium.org> 2016-06-28 09:04:34 -0700
commit: 74139f1b49d02b38006170c3e50439c1b33b175f (patch)
tree: 3cd0f91864e139eb5fc413b013142979b3f8242d /src/core/SkPicturePlayback.cpp
parent: ab527a5bbfb1eae4f99a1435d349a44d00477d82 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/core/SkPicturePlayback.cpp b/src/core/SkPicturePlayback.cpp
index 36d385c095..3cbcdbbd2f 100644
--- a/src/core/SkPicturePlayback.cpp
+++ b/src/core/SkPicturePlayback.cpp
@@ -543,8 +543,9 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader,
         case SAVE:
             // SKPs with version < 29 also store a SaveFlags param.
             if (size > 4) {
-                SkASSERT(8 == size);
-                reader->readInt();
+                if (reader->validate(8 == size)) {
+                    reader->readInt();
+                }
             }
             canvas->save();
             break;
author	robertphillips <robertphillips@google.com>	2016-06-28 09:04:34 -0700
committer	Commit bot <commit-bot@chromium.org>	2016-06-28 09:04:34 -0700
commit	74139f1b49d02b38006170c3e50439c1b33b175f (patch)
tree	3cd0f91864e139eb5fc413b013142979b3f8242d /src/core/SkPicturePlayback.cpp
parent	ab527a5bbfb1eae4f99a1435d349a44d00477d82 (diff)