diff options
| author |  Mike Reed <reed@google.com> | 2018-01-16 15:42:32 -0500 |
|---|---|---|
| committer |  Skia Commit-Bot <skia-commit-bot@chromium.org> | 2018-01-16 21:00:08 +0000 |
| commit | 539c6f5c92c2a4f04816d562c3d23556a35a2e98 (patch) | |
| tree | 8e1f8e04149f833408cd69e3a810d2244addd265 /src | |
| parent | 6be756b673b823881e90a2ef68c12b640ddde549 (diff) | |
validate offsetToRestore
Bug: skia:7425
Change-Id: I6451058bc5194853440f08a053fb974bc8f377a2
Reviewed-on: https://skia-review.googlesource.com/95161
Commit-Queue: Mike Reed <reed@google.com>
Commit-Queue: Mike Klein <mtklein@chromium.org>
Reviewed-by: Mike Klein <mtklein@chromium.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/SkPicturePlayback.cpp | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/src/core/SkPicturePlayback.cpp b/src/core/SkPicturePlayback.cpp index 47def4d6d5..894e84081b 100644 --- a/src/core/SkPicturePlayback.cpp +++ b/src/core/SkPicturePlayback.cpp @@ -141,6 +141,12 @@ void SkPicturePlayback::draw(SkCanvas* canvas, } } +static void validate_offsetToRestore(SkReadBuffer* reader, size_t offsetToRestore) { + if (offsetToRestore) { + reader->validate(SkIsAlign4(offsetToRestore) && offsetToRestore >= reader->offset()); + } +} + void SkPicturePlayback::handleOp(SkReadBuffer* reader, DrawType op, uint32_t size, @@ -162,9 +168,9 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader, SkClipOp clipOp = ClipParams_unpackRegionOp(reader, packed); bool doAA = ClipParams_unpackDoAA(packed); size_t offsetToRestore = reader->readInt(); + validate_offsetToRestore(reader, offsetToRestore); BREAK_ON_READ_ERROR(reader); - SkASSERT(!offsetToRestore || offsetToRestore >= reader->offset()); canvas->clipPath(path, clipOp, doAA); if (canvas->isClipEmpty() && offsetToRestore) { reader->skip(offsetToRestore - reader->offset()); @@ -176,9 +182,9 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader, uint32_t packed = reader->readInt(); SkClipOp clipOp = ClipParams_unpackRegionOp(reader, packed); size_t offsetToRestore = reader->readInt(); + validate_offsetToRestore(reader, offsetToRestore); BREAK_ON_READ_ERROR(reader); - SkASSERT(!offsetToRestore || offsetToRestore >= reader->offset()); canvas->clipRegion(region, clipOp); if (canvas->isClipEmpty() && offsetToRestore) { reader->skip(offsetToRestore - reader->offset()); @@ -191,9 +197,9 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader, SkClipOp clipOp = ClipParams_unpackRegionOp(reader, packed); bool doAA = ClipParams_unpackDoAA(packed); size_t offsetToRestore = reader->readInt(); + validate_offsetToRestore(reader, offsetToRestore); BREAK_ON_READ_ERROR(reader); - SkASSERT(!offsetToRestore || offsetToRestore >= reader->offset()); canvas->clipRect(rect, clipOp, doAA); if (canvas->isClipEmpty() && offsetToRestore) { reader->skip(offsetToRestore - reader->offset()); @@ -206,9 +212,9 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader, SkClipOp clipOp = ClipParams_unpackRegionOp(reader, packed); bool doAA = ClipParams_unpackDoAA(packed); size_t offsetToRestore = reader->readInt(); + validate_offsetToRestore(reader, offsetToRestore); BREAK_ON_READ_ERROR(reader); - SkASSERT(!offsetToRestore || offsetToRestore >= reader->offset()); canvas->clipRRect(rrect, clipOp, doAA); if (canvas->isClipEmpty() && offsetToRestore) { reader->skip(offsetToRestore - reader->offset()); |