diff options
| author |  Kevin Lubick <kjlubick@google.com> | 2018-05-17 11:29:10 -0400 |
|---|---|---|
| committer |  Skia Commit-Bot <skia-commit-bot@chromium.org> | 2018-05-17 15:50:53 +0000 |
| commit | daebae965b530039efcc508f50b42c3e6ecb70e4 (patch) | |
| tree | ae89fc820b58ee2c54302d38726a7a3b2da1f52c /src/effects | |
| parent | a33b67c36bcdf70221c459a5fcfec48055f66505 (diff) | |
Return nullptr when ReadBuffer becomes invalid
This especially helps in SkDrawLooper because we can bail out early
instead of looping for a potentially long time, e.g. when fuzzed
input says count is a large number.
This also cleans up validate in a few spots, and adds validateCanReadN
as a helper function.
Bug: skia:7937
Change-Id: Ic5eff357c8cadc91eeafc6e39c78c570ba74df2f
Reviewed-on: https://skia-review.googlesource.com/128847
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Mike Klein <mtklein@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
Reviewed-by: Florin Malita <fmalita@chromium.org>
Diffstat (limited to 'src/effects')
| -rw-r--r-- | src/effects/SkArithmeticImageFilter.cpp | 3 | ||||
| -rw-r--r-- | src/effects/SkDashPathEffect.cpp | 2 | ||||
| -rw-r--r-- | src/effects/SkLayerDrawLooper.cpp | 3 | ||||
| -rw-r--r-- | src/effects/SkXfermodeImageFilter.cpp | 3 |
4 files changed, 10 insertions, 1 deletions
diff --git a/src/effects/SkArithmeticImageFilter.cpp b/src/effects/SkArithmeticImageFilter.cpp index 24c95c82ce..984ed80a19 100644 --- a/src/effects/SkArithmeticImageFilter.cpp +++ b/src/effects/SkArithmeticImageFilter.cpp @@ -86,6 +86,9 @@ sk_sp<SkFlattenable> ArithmeticImageFilterImpl::CreateProc(SkReadBuffer& buffer) k[i] = buffer.readScalar(); } const bool enforcePMColor = buffer.readBool(); + if (!buffer.isValid()) { + return nullptr; + } return SkArithmeticImageFilter::Make(k[0], k[1], k[2], k[3], enforcePMColor, common.getInput(0), common.getInput(1), &common.cropRect()); } diff --git a/src/effects/SkDashPathEffect.cpp b/src/effects/SkDashPathEffect.cpp index 4cb98b3ad8..cdadcf907d 100644 --- a/src/effects/SkDashPathEffect.cpp +++ b/src/effects/SkDashPathEffect.cpp @@ -369,7 +369,7 @@ sk_sp<SkFlattenable> SkDashImpl::CreateProc(SkReadBuffer& buffer) { uint32_t count = buffer.getArrayCount(); // Don't allocate gigantic buffers if there's not data for them. - if (count > buffer.size() / sizeof(SkScalar)) { + if (!buffer.validateCanReadN<SkScalar>(count)) { return nullptr; } diff --git a/src/effects/SkLayerDrawLooper.cpp b/src/effects/SkLayerDrawLooper.cpp index 6a8254d894..db61e08c4f 100644 --- a/src/effects/SkLayerDrawLooper.cpp +++ b/src/effects/SkLayerDrawLooper.cpp @@ -272,6 +272,9 @@ sk_sp<SkFlattenable> SkLayerDrawLooper::CreateProc(SkReadBuffer& buffer) { buffer.readPoint(&info.fOffset); info.fPostTranslate = buffer.readBool(); buffer.readPaint(builder.addLayerOnTop(info)); + if (!buffer.isValid()) { + return nullptr; + } } return builder.detach(); } diff --git a/src/effects/SkXfermodeImageFilter.cpp b/src/effects/SkXfermodeImageFilter.cpp index 1c670fbe0b..587784a391 100644 --- a/src/effects/SkXfermodeImageFilter.cpp +++ b/src/effects/SkXfermodeImageFilter.cpp @@ -375,6 +375,9 @@ sk_sp<SkFlattenable> SkXfermodeImageFilter_Base::LegacyArithmeticCreateProc(SkRe k[i] = buffer.readScalar(); } const bool enforcePMColor = buffer.readBool(); + if (!buffer.isValid()) { + return nullptr; + } return SkArithmeticImageFilter::Make(k[0], k[1], k[2], k[3], enforcePMColor, common.getInput(0), common.getInput(1), &common.cropRect()); } |