Follow up to serialization validation code

1 ) Added check for bool to make sure is it either 0 or 1 and not garbage 2 ) Added more solid kernel size checks in SkMatrixConvolutionImageFilter 3 ) Make sure array size is validated in SkMergeImageFilter BUG= R=reed@google.com, mtklein@google.com, senorblanco@google.com, senorblanco@chromium.org Author: sugoi@chromium.org Review URL: https://codereview.chromium.org/23548034 git-svn-id: http://skia.googlecode.com/svn/trunk@11925 2bbb7eff-a529-9590-31e7-b0007b416f81
author: commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> 2013-10-23 18:33:18 +0000
committer: commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81> 2013-10-23 18:33:18 +0000
commit: d594dbec0407343b7ac13af9c4580ec5933ab060 (patch)
tree: 02f5df92c84642ab3c89199d9b169ea0c48290a3 /src/effects
parent: c0b7e10c6a68f59e1653e6c18e6bc954b3c3f0cf (diff)
2 files changed, 18 insertions, 6 deletions
diff --git a/src/effects/SkMatrixConvolutionImageFilter.cpp b/src/effects/SkMatrixConvolutionImageFilter.cpp
index 909facb0c9..cac30e6a49 100644
--- a/src/effects/SkMatrixConvolutionImageFilter.cpp
+++ b/src/effects/SkMatrixConvolutionImageFilter.cpp
@@ -61,17 +61,27 @@ SkMatrixConvolutionImageFilter::SkMatrixConvolutionImageFilter(SkFlattenableRead
     : INHERITED(buffer) {
     fKernelSize.fWidth = buffer.readInt();
     fKernelSize.fHeight = buffer.readInt();
-    uint32_t size = fKernelSize.fWidth * fKernelSize.fHeight;
-    fKernel = SkNEW_ARRAY(SkScalar, size);
-    SkDEBUGCODE(uint32_t readSize = )buffer.readScalarArray(fKernel);
-    SkASSERT(readSize == size);
+    if ((fKernelSize.fWidth >= 1) && (fKernelSize.fHeight >= 1) &&
+        // Make sure size won't be larger than a signed int,
+        // which would still be extremely large for a kernel,
+        // but we don't impose a hard limit for kernel size
+        (SK_MaxS32 / fKernelSize.fWidth >= fKernelSize.fHeight)) {
+        uint32_t size = fKernelSize.fWidth * fKernelSize.fHeight;
+        fKernel = SkNEW_ARRAY(SkScalar, size);
+        uint32_t readSize = buffer.readScalarArray(fKernel);
+        SkASSERT(readSize == size);
+        buffer.validate(readSize == size);
+    } else {
+        fKernel = 0;
+    }
     fGain = buffer.readScalar();
     fBias = buffer.readScalar();
     fTarget.fX = buffer.readInt();
     fTarget.fY = buffer.readInt();
     fTileMode = (TileMode) buffer.readInt();
     fConvolveAlpha = buffer.readBool();
-    buffer.validate(SkScalarIsFinite(fGain) &&
+    buffer.validate((fKernel != 0) &&
+                    SkScalarIsFinite(fGain) &&
                     SkScalarIsFinite(fBias) &&
                     tile_mode_is_valid(fTileMode));
 }
diff --git a/src/effects/SkMergeImageFilter.cpp b/src/effects/SkMergeImageFilter.cpp
index a5c32acaf7..4de1093612 100755
--- a/src/effects/SkMergeImageFilter.cpp
+++ b/src/effects/SkMergeImageFilter.cpp
@@ -161,7 +161,9 @@ SkMergeImageFilter::SkMergeImageFilter(SkFlattenableReadBuffer& buffer) : INHERI
     if (hasModes) {
         this->initAllocModes();
         int nbInputs = countInputs();
-        SkASSERT(buffer.getArrayCount() == nbInputs * sizeof(fModes[0]));
+        bool sizeMatches = buffer.getArrayCount() == nbInputs * sizeof(fModes[0]);
+        buffer.validate(sizeMatches);
+        SkASSERT(sizeMatches);
         buffer.readByteArray(fModes);
         for (int i = 0; i < nbInputs; ++i) {
             buffer.validate(SkIsValidMode((SkXfermode::Mode)fModes[i]));
author	commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81>	2013-10-23 18:33:18 +0000
committer	commit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81>	2013-10-23 18:33:18 +0000
commit	d594dbec0407343b7ac13af9c4580ec5933ab060 (patch)
tree	02f5df92c84642ab3c89199d9b169ea0c48290a3 /src/effects
parent	c0b7e10c6a68f59e1653e6c18e6bc954b3c3f0cf (diff)