Checking structure sizes before reading them from memory to avoid overflowing the buffer's stream.

BUG= R=reed@google.com, mtklein@google.com, senorblanco@chromium.org Committed: https://code.google.com/p/skia/source/detail?r=12114 Committed: https://code.google.com/p/skia/source/detail?r=12119 Author: sugoi@chromium.org Review URL: https://codereview.chromium.org/41253002 git-svn-id: http://skia.googlecode.com/svn/trunk@12130 2bbb7eff-a529-9590-31e7-b0007b416f81
author: commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> 2013-11-05 15:46:56 +0000
committer: commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> 2013-11-05 15:46:56 +0000
commit: 4faa869cdabbdcf4867118b4a1272296baaeeb52 (patch)
tree: 98283bc90add39d00d98ac4dfde9af051816637a /src/core/SkRegion.cpp
parent: fedf13d73a6d6f1921ce5f449bb6e34e9d8e14e4 (diff)
1 files changed, 17 insertions, 11 deletions
diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp
index 02994bffb0..59af1c2f7a 100644
--- a/src/core/SkRegion.cpp
+++ b/src/core/SkRegion.cpp
@@ -1100,9 +1100,9 @@ bool SkRegion::op(const SkRegion& rgna, const SkRegion& rgnb, Op op) {
 
 #include "SkBuffer.h"
 
-uint32_t SkRegion::writeToMemory(void* storage) const {
+size_t SkRegion::writeToMemory(void* storage) const {
     if (NULL == storage) {
-        uint32_t size = sizeof(int32_t); // -1 (empty), 0 (rect), runCount
+        size_t size = sizeof(int32_t); // -1 (empty), 0 (rect), runCount
         if (!this->isEmpty()) {
             size += sizeof(fBounds);
             if (this->isComplex()) {
@@ -1133,11 +1133,11 @@ uint32_t SkRegion::writeToMemory(void* storage) const {
     return buffer.pos();
 }
 
-uint32_t SkRegion::readFromMemory(const void* storage) {
-    SkRBuffer   buffer(storage);
-    SkRegion    tmp;
-    int32_t     count;
-
+size_t SkRegion::readFromMemory(const void* storage, size_t length) {
+    SkRBufferWithSizeCheck  buffer(storage, length);
+    SkRegion                tmp;
+    int32_t                 count;
+    
     count = buffer.readS32();
     if (count >= 0) {
         buffer.read(&tmp.fBounds, sizeof(tmp.fBounds));
@@ -1146,12 +1146,18 @@ uint32_t SkRegion::readFromMemory(const void* storage) {
         } else {
             int32_t ySpanCount = buffer.readS32();
             int32_t intervalCount = buffer.readS32();
-            tmp.allocateRuns(count, ySpanCount, intervalCount);
-            buffer.read(tmp.fRunHead->writable_runs(), count * sizeof(RunType));
+            if (buffer.isValid()) {
+                tmp.allocateRuns(count, ySpanCount, intervalCount);
+                buffer.read(tmp.fRunHead->writable_runs(), count * sizeof(RunType));
+            }
         }
     }
-    this->swap(tmp);
-    return buffer.pos();
+    size_t sizeRead = 0;
+    if (buffer.isValid()) {
+        this->swap(tmp);
+        sizeRead = buffer.pos();
+    }
+    return sizeRead;
 }
 
 ///////////////////////////////////////////////////////////////////////////////
author	commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81>	2013-11-05 15:46:56 +0000
committer	commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81>	2013-11-05 15:46:56 +0000
commit	4faa869cdabbdcf4867118b4a1272296baaeeb52 (patch)
tree	98283bc90add39d00d98ac4dfde9af051816637a /src/core/SkRegion.cpp
parent	fedf13d73a6d6f1921ce5f449bb6e34e9d8e14e4 (diff)