aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/core
diff options
context:
space:
mode:
authorGravatar Wei Li <weili@chromium.org>2018-03-08 14:33:52 -0800
committerGravatar Skia Commit-Bot <skia-commit-bot@chromium.org>2018-03-09 00:27:51 +0000
commitdc0b12ec7a2de9ae4836f90c66b4f8ff3558f0ba (patch)
tree1bccd8da2852b0f2f942fc04e36f9799ac4df85d /src/core
parentff6b4c59f24d70d939efb57f6638f29ad9e9d690 (diff)
Harden size check during textblob deserialization
Check the text size read from a buffer should not exceed the size of the input buffer. This is to avoid memory allocation errors such as out of memory. BUG=chromium:809200 Change-Id: I47824f6e8122bd550ee97ac83e2251b7725865e7 Reviewed-on: https://skia-review.googlesource.com/113289 Reviewed-by: Florin Malita <fmalita@chromium.org> Commit-Queue: Florin Malita <fmalita@chromium.org>
Diffstat (limited to 'src/core')
-rw-r--r--src/core/SkTextBlob.cpp2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/core/SkTextBlob.cpp b/src/core/SkTextBlob.cpp
index f686f29e83..182cf72ec2 100644
--- a/src/core/SkTextBlob.cpp
+++ b/src/core/SkTextBlob.cpp
@@ -809,7 +809,7 @@ sk_sp<SkTextBlob> SkTextBlob::MakeFromBuffer(SkReadBuffer& reader) {
return nullptr;
}
int textSize = pe.extended ? reader.read32() : 0;
- if (textSize < 0) {
+ if (textSize < 0 || static_cast<size_t>(textSize) > reader.size()) {
return nullptr;
}