Fix SkDashImpl::CreateProc OOM on garbage input

Verify that there's enough data to read from before allocating gigantic blocks of memory. This was caught by a fuzzer. Bug: chromium:835418 Change-Id: I43fb1d11ec13726aacb62fe6aeb9f137424fb783 Reviewed-on: https://skia-review.googlesource.com/123538 Commit-Queue: Mike Klein <mtklein@google.com> Auto-Submit: Adrienne Walker <enne@chromium.org> Reviewed-by: Mike Klein <mtklein@google.com>
author: Adrienne Walker <enne@chromium.org> 2018-04-24 16:41:41 -0700
committer: Skia Commit-Bot <skia-commit-bot@chromium.org> 2018-04-25 13:23:36 +0000
commit: 77e95f7067e3bbb4234965c8413f6f86e345bca6 (patch)
tree: 87397beeb8ae00f6245f1c834806a45b1a3bd819 /src/effects
parent: ec4e7358ba6d5d68c32f0cdacfba454957960841 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/effects/SkDashPathEffect.cpp b/src/effects/SkDashPathEffect.cpp
index cced73f72e..4cb98b3ad8 100644
--- a/src/effects/SkDashPathEffect.cpp
+++ b/src/effects/SkDashPathEffect.cpp
@@ -367,6 +367,12 @@ void SkDashImpl::flatten(SkWriteBuffer& buffer) const {
 sk_sp<SkFlattenable> SkDashImpl::CreateProc(SkReadBuffer& buffer) {
     const SkScalar phase = buffer.readScalar();
     uint32_t count = buffer.getArrayCount();
+
+    // Don't allocate gigantic buffers if there's not data for them.
+    if (count > buffer.size() / sizeof(SkScalar)) {
+        return nullptr;
+    }
+
     SkAutoSTArray<32, SkScalar> intervals(count);
     if (buffer.readScalarArray(intervals.get(), count)) {
         return SkDashPathEffect::Make(intervals.get(), SkToInt(count), phase);
author	Adrienne Walker <enne@chromium.org>	2018-04-24 16:41:41 -0700
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>	2018-04-25 13:23:36 +0000
commit	77e95f7067e3bbb4234965c8413f6f86e345bca6 (patch)
tree	87397beeb8ae00f6245f1c834806a45b1a3bd819 /src/effects
parent	ec4e7358ba6d5d68c32f0cdacfba454957960841 (diff)