Fix out of bounds read in SkColorSpace::MakeICC

Bug: 711895 Change-Id: I8574289bda842cf1be3fb5bcf347a81b98fdc6b0 Reviewed-on: https://skia-review.googlesource.com/13690 Commit-Queue: Matt Sarett <msarett@google.com> Reviewed-by: Mike Klein <mtklein@chromium.org>
author: Matt Sarett <msarett@google.com> 2017-04-18 11:08:29 -0400
committer: Skia Commit-Bot <skia-commit-bot@chromium.org> 2017-04-18 15:37:29 +0000
commit: 6e834799946537370e6f3c10aa2745ed969b2a27 (patch)
tree: a916098cb5d6a8ade45a73886e6a6d681f25c129 /src
parent: a0481b9f3fe41ac5cb1ea9eb6bd55b0e38661434 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/core/SkColorSpace_ICC.cpp b/src/core/SkColorSpace_ICC.cpp
index 9c2082af7f..6d4bba26bd 100644
--- a/src/core/SkColorSpace_ICC.cpp
+++ b/src/core/SkColorSpace_ICC.cpp
@@ -1185,7 +1185,11 @@ static inline int icf_channels(SkColorSpace_Base::ICCTypeFlag iccType) {
 static bool load_a2b0(std::vector<SkColorSpace_A2B::Element>* elements, const uint8_t* src,
                       size_t len, SkColorSpace_A2B::PCS pcs,
                       SkColorSpace_Base::ICCTypeFlag iccType) {
+    if (len < 4) {
+        return false;
+    }
     const uint32_t type = read_big_endian_u32(src);
+
     switch (type) {
         case kTAG_AtoBType:
             if (len < 32) {
author	Matt Sarett <msarett@google.com>	2017-04-18 11:08:29 -0400
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>	2017-04-18 15:37:29 +0000
commit	6e834799946537370e6f3c10aa2745ed969b2a27 (patch)
tree	a916098cb5d6a8ade45a73886e6a6d681f25c129 /src
parent	a0481b9f3fe41ac5cb1ea9eb6bd55b0e38661434 (diff)