Harden size check during textblob deserialization

Check the text size read from a buffer should not exceed the size of the input buffer. This is to avoid memory allocation errors such as out of memory. BUG=chromium:809200 Change-Id: I47824f6e8122bd550ee97ac83e2251b7725865e7 Reviewed-on: https://skia-review.googlesource.com/113289 Reviewed-by: Florin Malita <fmalita@chromium.org> Commit-Queue: Florin Malita <fmalita@chromium.org>
author: Wei Li <weili@chromium.org> 2018-03-08 14:33:52 -0800
committer: Skia Commit-Bot <skia-commit-bot@chromium.org> 2018-03-09 00:27:51 +0000
commit: dc0b12ec7a2de9ae4836f90c66b4f8ff3558f0ba (patch)
tree: 1bccd8da2852b0f2f942fc04e36f9799ac4df85d /src/core
parent: ff6b4c59f24d70d939efb57f6638f29ad9e9d690 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/core/SkTextBlob.cpp b/src/core/SkTextBlob.cpp
index f686f29e83..182cf72ec2 100644
--- a/src/core/SkTextBlob.cpp
+++ b/src/core/SkTextBlob.cpp
@@ -809,7 +809,7 @@ sk_sp<SkTextBlob> SkTextBlob::MakeFromBuffer(SkReadBuffer& reader) {
             return nullptr;
         }
         int textSize = pe.extended ? reader.read32() : 0;
-        if (textSize < 0) {
+        if (textSize < 0 || static_cast<size_t>(textSize) > reader.size()) {
             return nullptr;
         }
author	Wei Li <weili@chromium.org>	2018-03-08 14:33:52 -0800
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>	2018-03-09 00:27:51 +0000
commit	dc0b12ec7a2de9ae4836f90c66b4f8ff3558f0ba (patch)
tree	1bccd8da2852b0f2f942fc04e36f9799ac4df85d /src/core
parent	ff6b4c59f24d70d939efb57f6638f29ad9e9d690 (diff)