diff options
author | 2016-09-26 09:00:36 -0400 | |
---|---|---|
committer | 2016-09-26 14:47:43 +0000 | |
commit | b2526041ba83a66ba66be237d9e83578ed6f2c1c (patch) | |
tree | 55a23c0cfa67363a0c92f992a3be93c5d5919c22 /src/core/SkValidatingReadBuffer.cpp | |
parent | 0dc744ac340ee061faf4518be85cc28e38a4471b (diff) |
Fix some fuzzer complaints
In one case the fuzzer was switching the picture's op code to an invalid value
In the other two the fuzzer was maxing out the number of points passed to drawPoints and the number of characters passed to drawTextRSXform. In these cases the validation would fail but still return a pointer into the data stream.
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2593
Change-Id: Id6d4e6b7bcbae38ace7ad1d92ffcfa5c02f9fb61
Reviewed-on: https://skia-review.googlesource.com/2593
Reviewed-by: Mike Reed <reed@google.com>
Diffstat (limited to 'src/core/SkValidatingReadBuffer.cpp')
-rw-r--r-- | src/core/SkValidatingReadBuffer.cpp | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/core/SkValidatingReadBuffer.cpp b/src/core/SkValidatingReadBuffer.cpp index d57e499cc1..e1b84d597f 100644 --- a/src/core/SkValidatingReadBuffer.cpp +++ b/src/core/SkValidatingReadBuffer.cpp @@ -44,9 +44,11 @@ const void* SkValidatingReadBuffer::skip(size_t size) { size_t inc = SkAlign4(size); const void* addr = fReader.peek(); this->validate(IsPtrAlign4(addr) && fReader.isAvailable(inc)); - if (!fError) { - fReader.skip(size); + if (fError) { + return nullptr; } + + fReader.skip(size); return addr; } |