Fix some fuzzer complaints

In one case the fuzzer was switching the picture's op code to an invalid value

In the other two the fuzzer was maxing out the number of points passed to drawPoints and the number of characters passed to drawTextRSXform. In these cases the validation would fail but still return a pointer into the data stream.

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2593

Change-Id: Id6d4e6b7bcbae38ace7ad1d92ffcfa5c02f9fb61
Reviewed-on: https://skia-review.googlesource.com/2593
Reviewed-by: Mike Reed <reed@google.com>

2 files changed, 17 insertions, 10 deletions

diff --git a/src/core/SkPicturePlayback.cpp b/src/core/SkPicturePlayback.cpp
index cc16855abf..2ffb6c20d1 100644
--- a/src/core/SkPicturePlayback.cpp
+++ b/src/core/SkPicturePlayback.cpp
@@ -108,6 +108,9 @@ void SkPicturePlayback::draw(SkCanvas* canvas,
         fCurOffset = reader->offset();
         uint32_t size;
         DrawType op = ReadOpAndSize(reader, &size);
+        if (!reader->validate(op > UNUSED && op <= LAST_DRAWTYPE_ENUM)) {
+            return;
+        }
 
         this->handleOp(reader, op, size, canvas, initialMatrix);
     }
@@ -420,7 +423,7 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader,
             get_text(reader, &text);
             size_t points = reader->readInt();
             const SkPoint* pos = (const SkPoint*)reader->skip(points * sizeof(SkPoint));
-            if (paint) {
+            if (paint && text.text()) {
                 canvas->drawPosText(text.text(), text.length(), pos, *paint);
             }
         } break;
@@ -434,7 +437,7 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader,
             const SkScalar bottom = reader->readScalar();
             SkRect clip;
             canvas->getClipBounds(&clip);
-            if (top < clip.fBottom && bottom > clip.fTop && paint) {
+            if (top < clip.fBottom && bottom > clip.fTop && paint && text.text()) {
                 canvas->drawPosText(text.text(), text.length(), pos, *paint);
             }
         } break;
@@ -445,7 +448,7 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader,
             size_t xCount = reader->readInt();
             const SkScalar constY = reader->readScalar();
             const SkScalar* xpos = (const SkScalar*)reader->skip(xCount * sizeof(SkScalar));
-            if (paint) {
+            if (paint && text.text()) {
                 canvas->drawPosTextH(text.text(), text.length(), xpos, constY, *paint);
             }
         } break;
@@ -460,7 +463,7 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader,
             const SkScalar constY = *xpos++;
             SkRect clip;
             canvas->getClipBounds(&clip);
-            if (top < clip.fBottom && bottom > clip.fTop && paint) {
+            if (top < clip.fBottom && bottom > clip.fTop && paint && text.text()) {
                 canvas->drawPosTextH(text.text(), text.length(), xpos, constY, *paint);
             }
         } break;
@@ -501,7 +504,7 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader,
             get_text(reader, &text);
             SkScalar x = reader->readScalar();
             SkScalar y = reader->readScalar();
-            if (paint) {
+            if (paint && text.text()) {
                 canvas->drawText(text.text(), text.length(), x, y, *paint);
             }
         } break;
@@ -527,7 +530,7 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader,
             canvas->getClipBounds(&clip);
             float top = ptr[2];
             float bottom = ptr[3];
-            if (top < clip.fBottom && bottom > clip.fTop && paint) {
+            if (top < clip.fBottom && bottom > clip.fTop && paint && text.text()) {
                 canvas->drawText(text.text(), text.length(), ptr[0], ptr[1], *paint);
             }
         } break;
@@ -538,7 +541,7 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader,
             const SkPath& path = fPictureData->getPath(reader);
             SkMatrix matrix;
             reader->readMatrix(&matrix);
-            if (paint) {
+            if (paint && text.text()) {
                 canvas->drawTextOnPath(text.text(), text.length(), path, &matrix, *paint);
             }
         } break;
@@ -553,7 +556,9 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader,
             if (flags & DRAW_TEXT_RSXFORM_HAS_CULL) {
                 cull = (const SkRect*)reader->skip(sizeof(SkRect));
             }
-            canvas->drawTextRSXform(text.text(), text.length(), xform, cull, *paint);
+            if (text.text()) {
+                canvas->drawTextRSXform(text.text(), text.length(), xform, cull, *paint);
+            }
         } break;
         case DRAW_VERTICES: {
             sk_sp<SkXfermode> xfer;
diff --git a/src/core/SkValidatingReadBuffer.cpp b/src/core/SkValidatingReadBuffer.cpp
index d57e499cc1..e1b84d597f 100644
--- a/src/core/SkValidatingReadBuffer.cpp
+++ b/src/core/SkValidatingReadBuffer.cpp
@@ -44,9 +44,11 @@ const void* SkValidatingReadBuffer::skip(size_t size) {
     size_t inc = SkAlign4(size);
     const void* addr = fReader.peek();
     this->validate(IsPtrAlign4(addr) && fReader.isAvailable(inc));
-    if (!fError) {
-        fReader.skip(size);
+    if (fError) {
+        return nullptr;
     }
+
+    fReader.skip(size);
     return addr;
 }