diff options
author | 2015-02-09 13:17:21 -0800 | |
---|---|---|
committer | 2015-02-09 13:17:21 -0800 | |
commit | 8e85761e5a4a0b169cf101c4d72142ee4b87d266 (patch) | |
tree | 60e6c0319819cf4ea0602eae0962231318c86beb /src | |
parent | 61adb1b6491db3d3552d09a1c69ba5a37beb38d5 (diff) |
Fixed array read error
In 32 bits, if the "element count" was under 32 bits, but "element count" * "element size" was over the 32 bit limit, the overflow was causing the read operation to appear as if it had succeded, even though it should have failed.
BUG=456828
Review URL: https://codereview.chromium.org/904833003
Diffstat (limited to 'src')
-rw-r--r-- | src/core/SkValidatingReadBuffer.cpp | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/core/SkValidatingReadBuffer.cpp b/src/core/SkValidatingReadBuffer.cpp index 96b0863936..fd00e7d989 100644 --- a/src/core/SkValidatingReadBuffer.cpp +++ b/src/core/SkValidatingReadBuffer.cpp @@ -175,7 +175,9 @@ bool SkValidatingReadBuffer::readArray(void* value, size_t size, size_t elementS const uint32_t count = this->getArrayCount(); this->validate(size == count); (void)this->skip(sizeof(uint32_t)); // Skip array count + const uint64_t byteLength64 = sk_64_mul(count, elementSize); const size_t byteLength = count * elementSize; + this->validate(byteLength == byteLength64); const void* ptr = this->skip(SkAlign4(byteLength)); if (!fError) { memcpy(value, ptr, byteLength); |