diff options
author | sugoi@google.com <sugoi@google.com@2bbb7eff-a529-9590-31e7-b0007b416f81> | 2013-11-04 16:18:15 +0000 |
---|---|---|
committer | sugoi@google.com <sugoi@google.com@2bbb7eff-a529-9590-31e7-b0007b416f81> | 2013-11-04 16:18:15 +0000 |
commit | 305f78e8c18a26b7ead11758d6a4fa0519932cca (patch) | |
tree | 84ce0e834d8c52393c0b52190fa0583168304ffd /src/core/SkRegion.cpp | |
parent | fe2faa8b16e2a607543c5b30637e7da54012e169 (diff) |
Checking structure sizes before reading them from memory to avoid overflowing the buffer's stream.
BUG=
R=reed@google.com
Review URL: https://codereview.chromium.org/41253002
git-svn-id: http://skia.googlecode.com/svn/trunk@12114 2bbb7eff-a529-9590-31e7-b0007b416f81
Diffstat (limited to 'src/core/SkRegion.cpp')
-rw-r--r-- | src/core/SkRegion.cpp | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp index 02994bffb0..468be67154 100644 --- a/src/core/SkRegion.cpp +++ b/src/core/SkRegion.cpp @@ -1100,9 +1100,9 @@ bool SkRegion::op(const SkRegion& rgna, const SkRegion& rgnb, Op op) { #include "SkBuffer.h" -uint32_t SkRegion::writeToMemory(void* storage) const { +size_t SkRegion::writeToMemory(void* storage) const { if (NULL == storage) { - uint32_t size = sizeof(int32_t); // -1 (empty), 0 (rect), runCount + size_t size = sizeof(int32_t); // -1 (empty), 0 (rect), runCount if (!this->isEmpty()) { size += sizeof(fBounds); if (this->isComplex()) { @@ -1133,11 +1133,11 @@ uint32_t SkRegion::writeToMemory(void* storage) const { return buffer.pos(); } -uint32_t SkRegion::readFromMemory(const void* storage) { - SkRBuffer buffer(storage); - SkRegion tmp; - int32_t count; - +size_t SkRegion::readFromMemory(const void* storage, size_t length) { + SkRBufferWithSizeCheck buffer(storage, length); + SkRegion tmp; + int32_t count; + count = buffer.readS32(); if (count >= 0) { buffer.read(&tmp.fBounds, sizeof(tmp.fBounds)); @@ -1150,8 +1150,12 @@ uint32_t SkRegion::readFromMemory(const void* storage) { buffer.read(tmp.fRunHead->writable_runs(), count * sizeof(RunType)); } } - this->swap(tmp); - return buffer.pos(); + size_t sizeRead = 0; + if (buffer.isValid()) { + this->swap(tmp); + sizeRead = buffer.pos(); + } + return sizeRead; } /////////////////////////////////////////////////////////////////////////////// |