diff options
| author |  commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> | 2013-10-31 18:37:50 +0000 |
|---|---|---|
| committer | commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> | 2013-10-31 18:37:50 +0000 |
| commit | 025128811219dc45fd99b6c4d1d14f833cf7a26e (patch) | |
| tree | 13a1ed285bb5a34fae47212c02e0aec4c979fe46 /src/core/SkValidatingReadBuffer.h | |
| parent | 4469938e92d779dff05e745559e67907bbf21e78 (diff) | |
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
Diffstat (limited to 'src/core/SkValidatingReadBuffer.h')
| -rw-r--r-- | src/core/SkValidatingReadBuffer.h | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/src/core/SkValidatingReadBuffer.h b/src/core/SkValidatingReadBuffer.h index c854b0af2c..4d1919b62c 100644 --- a/src/core/SkValidatingReadBuffer.h +++ b/src/core/SkValidatingReadBuffer.h @@ -47,24 +47,24 @@ public: virtual void readPath(SkPath* path) SK_OVERRIDE; // binary data and arrays - virtual uint32_t readByteArray(void* value) SK_OVERRIDE; - virtual uint32_t readColorArray(SkColor* colors) SK_OVERRIDE; - virtual uint32_t readIntArray(int32_t* values) SK_OVERRIDE; - virtual uint32_t readPointArray(SkPoint* points) SK_OVERRIDE; - virtual uint32_t readScalarArray(SkScalar* values) SK_OVERRIDE; + virtual bool readByteArray(void* value, size_t size) SK_OVERRIDE; + virtual bool readColorArray(SkColor* colors, size_t size) SK_OVERRIDE; + virtual bool readIntArray(int32_t* values, size_t size) SK_OVERRIDE; + virtual bool readPointArray(SkPoint* points, size_t size) SK_OVERRIDE; + virtual bool readScalarArray(SkScalar* values, size_t size) SK_OVERRIDE; // helpers to get info about arrays and binary data virtual uint32_t getArrayCount() SK_OVERRIDE; virtual void readBitmap(SkBitmap* bitmap) SK_OVERRIDE; // TODO: Implement this (securely) when needed - virtual SkTypeface* readTypeface() SK_OVERRIDE { return NULL; } + virtual SkTypeface* readTypeface() SK_OVERRIDE; - virtual void validate(bool isValid) SK_OVERRIDE { - fError = fError || !isValid; - } + virtual void validate(bool isValid) SK_OVERRIDE; private: + bool readArray(void* value, size_t size, size_t elementSize); + void setMemory(const void* data, size_t size); static bool IsPtrAlign4(const void* ptr) { |