diff options
author | commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> | 2013-10-23 18:33:18 +0000 |
---|---|---|
committer | commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> | 2013-10-23 18:33:18 +0000 |
commit | d594dbec0407343b7ac13af9c4580ec5933ab060 (patch) | |
tree | 02f5df92c84642ab3c89199d9b169ea0c48290a3 /src/effects/SkMatrixConvolutionImageFilter.cpp | |
parent | c0b7e10c6a68f59e1653e6c18e6bc954b3c3f0cf (diff) |
Follow up to serialization validation code
1 ) Added check for bool to make sure is it either 0 or 1 and not garbage
2 ) Added more solid kernel size checks in SkMatrixConvolutionImageFilter
3 ) Make sure array size is validated in SkMergeImageFilter
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/23548034
git-svn-id: http://skia.googlecode.com/svn/trunk@11925 2bbb7eff-a529-9590-31e7-b0007b416f81
Diffstat (limited to 'src/effects/SkMatrixConvolutionImageFilter.cpp')
-rw-r--r-- | src/effects/SkMatrixConvolutionImageFilter.cpp | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/src/effects/SkMatrixConvolutionImageFilter.cpp b/src/effects/SkMatrixConvolutionImageFilter.cpp index 909facb0c9..cac30e6a49 100644 --- a/src/effects/SkMatrixConvolutionImageFilter.cpp +++ b/src/effects/SkMatrixConvolutionImageFilter.cpp @@ -61,17 +61,27 @@ SkMatrixConvolutionImageFilter::SkMatrixConvolutionImageFilter(SkFlattenableRead : INHERITED(buffer) { fKernelSize.fWidth = buffer.readInt(); fKernelSize.fHeight = buffer.readInt(); - uint32_t size = fKernelSize.fWidth * fKernelSize.fHeight; - fKernel = SkNEW_ARRAY(SkScalar, size); - SkDEBUGCODE(uint32_t readSize = )buffer.readScalarArray(fKernel); - SkASSERT(readSize == size); + if ((fKernelSize.fWidth >= 1) && (fKernelSize.fHeight >= 1) && + // Make sure size won't be larger than a signed int, + // which would still be extremely large for a kernel, + // but we don't impose a hard limit for kernel size + (SK_MaxS32 / fKernelSize.fWidth >= fKernelSize.fHeight)) { + uint32_t size = fKernelSize.fWidth * fKernelSize.fHeight; + fKernel = SkNEW_ARRAY(SkScalar, size); + uint32_t readSize = buffer.readScalarArray(fKernel); + SkASSERT(readSize == size); + buffer.validate(readSize == size); + } else { + fKernel = 0; + } fGain = buffer.readScalar(); fBias = buffer.readScalar(); fTarget.fX = buffer.readInt(); fTarget.fY = buffer.readInt(); fTileMode = (TileMode) buffer.readInt(); fConvolveAlpha = buffer.readBool(); - buffer.validate(SkScalarIsFinite(fGain) && + buffer.validate((fKernel != 0) && + SkScalarIsFinite(fGain) && SkScalarIsFinite(fBias) && tile_mode_is_valid(fTileMode)); } |