diff options
| author |  Florin Malita <fmalita@chromium.org> | 2017-11-19 10:22:22 -0500 |
|---|---|---|
| committer |  Skia Commit-Bot <skia-commit-bot@chromium.org> | 2017-11-20 19:48:48 +0000 |
| commit | 1e18aa6d7df79ce36fa7f6b86dc24dc4ffe9a374 (patch) | |
| tree | eebe0a232a520e48985de2975682ebbc2e737594 /src/core | |
| parent | a0ba714ad5ee26b3f1929aa572eb77cc71809e64 (diff) | |
Harden SkTextBlob deserialization
1) validate allocInternal args - these can originate either from users
or deserialization
2) skip invoking SkTypefaceResolverProc if we failed to read a valid id
in SkTypefaceResolverReadBuffer::readTypeface
3) validate textSize and buffer sanity in MakeFromBuffer before
attempting to allocate runs
BUG=chromium:786524
Change-Id: I6cf80dc60bc3ca6fcad7198d36dacf84d091b779
Reviewed-on: https://skia-review.googlesource.com/73521
Reviewed-by: Mike Reed <reed@google.com>
Commit-Queue: Florin Malita <fmalita@chromium.org>
Diffstat (limited to 'src/core')
| -rw-r--r-- | src/core/SkTextBlob.cpp | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/src/core/SkTextBlob.cpp b/src/core/SkTextBlob.cpp index c6325dfbc5..4a029287b0 100644 --- a/src/core/SkTextBlob.cpp +++ b/src/core/SkTextBlob.cpp @@ -596,10 +596,13 @@ bool SkTextBlobBuilder::mergeRun(const SkPaint &font, SkTextBlob::GlyphPositioni void SkTextBlobBuilder::allocInternal(const SkPaint &font, SkTextBlob::GlyphPositioning positioning, - int count, int textSize, SkPoint offset, const SkRect* bounds) { - SkASSERT(count > 0); - SkASSERT(textSize >= 0); - SkASSERT(SkPaint::kGlyphID_TextEncoding == font.getTextEncoding()); + int count, int textSize, SkPoint offset, + const SkRect* bounds) { + if (count <= 0 || textSize < 0 || font.getTextEncoding() != SkPaint::kGlyphID_TextEncoding) { + fCurrentRunBuffer = { nullptr, nullptr, nullptr, nullptr }; + return; + } + if (textSize != 0 || !this->mergeRun(font, positioning, count, offset)) { this->updateDeferredBounds(); @@ -772,13 +775,20 @@ sk_sp<SkTextBlob> SkTextBlob::MakeFromBuffer(SkReadBuffer& reader) { if (glyphCount <= 0 || pos > kFull_Positioning) { return nullptr; } - uint32_t textSize = pe.extended ? (uint32_t)reader.read32() : 0; + int textSize = pe.extended ? reader.read32() : 0; + if (textSize < 0) { + return nullptr; + } SkPoint offset; reader.readPoint(&offset); SkPaint font; reader.readPaint(&font); + if (!reader.isValid()) { + return nullptr; + } + const SkTextBlobBuilder::RunBuffer* buf = nullptr; switch (pos) { case kDefault_Positioning: @@ -850,7 +860,8 @@ public: {} sk_sp<SkTypeface> readTypeface() override { - return fResolverProc(this->read32(), fResolverCtx); + auto id = this->readUInt(); + return this->isValid() ? fResolverProc(id, fResolverCtx) : nullptr; } SkTypefaceResolverProc fResolverProc; |