diff options
author | 2014-11-10 13:12:25 -0800 | |
---|---|---|
committer | 2014-11-10 13:12:25 -0800 | |
commit | b61e206138607423e83ba34d823c6036f394f655 (patch) | |
tree | 643b948ca1751c4268a3a616745995803e45ee58 /src/images/SkImageDecoder_libico.cpp | |
parent | 428b2a5a4f31334864b2834e8668e7498959580a (diff) |
Add tests (and fix!) for known bad ICO files.
We previously saw crashes decoding bad ICO files. Add tests for
known bad files.
While testing, I learned that one of them still crashes. Check for
large offset and size separately to fix the crash.
BUG=skia:2878
Review URL: https://codereview.chromium.org/712123002
Diffstat (limited to 'src/images/SkImageDecoder_libico.cpp')
-rw-r--r-- | src/images/SkImageDecoder_libico.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/images/SkImageDecoder_libico.cpp b/src/images/SkImageDecoder_libico.cpp index cd8a292edc..5240d09b86 100644 --- a/src/images/SkImageDecoder_libico.cpp +++ b/src/images/SkImageDecoder_libico.cpp @@ -159,7 +159,7 @@ SkImageDecoder::Result SkICOImageDecoder::onDecode(SkStream* stream, SkBitmap* b const size_t size = read4Bytes(buf, 14 + choice*16); //matters? const size_t offset = read4Bytes(buf, 18 + choice*16); // promote the sum to 64-bits to avoid overflow - if (((uint64_t)offset + size) > length) { + if (offset > length || size > length || ((uint64_t)offset + size) > length) { return kFailure; } |