diff options
| author |  Robert Phillips <robertphillips@google.com> | 2016-12-19 11:37:37 -0500 |
|---|---|---|
| committer |  Skia Commit-Bot <skia-commit-bot@chromium.org> | 2016-12-19 17:14:10 +0000 |
| commit | 98624d249d279f68127c76754d542ab5cd0f8eab (patch) | |
| tree | 86e5e534316aed3dd95001b32180f0df72e23ffd /src | |
| parent | efa9d34ccbdeb541a1fa77a678552df7a08531be (diff) | |
"Fix" some ImageFilter fuzzer issues
SkClipOp.h & SkPictureFlat.h
Invalid SkClipOps were getting through - the question here is where (for a class enum) is a good place to put the k*Mask definition.
SkPath1DPathEffect
NaNs were getting past.
SkBlurMaskFilter
Assert wasn't necessary since we whacked the flag on the next line.
Change-Id: I87f95ad39f4760284f881d7c4500eb82fcdba282
Reviewed-on: https://skia-review.googlesource.com/6194
Commit-Queue: Robert Phillips <robertphillips@google.com>
Reviewed-by: Herb Derby <herb@google.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/SkPictureFlat.h | 13 | ||||
| -rw-r--r-- | src/core/SkPicturePlayback.cpp | 8 | ||||
| -rw-r--r-- | src/effects/Sk1DPathEffect.cpp | 2 | ||||
| -rw-r--r-- | src/effects/SkBlurMaskFilter.cpp | 15 |
4 files changed, 25 insertions, 13 deletions
diff --git a/src/core/SkPictureFlat.h b/src/core/SkPictureFlat.h index 1ac91b7ab5..3489043c61 100644 --- a/src/core/SkPictureFlat.h +++ b/src/core/SkPictureFlat.h @@ -133,8 +133,17 @@ static inline uint32_t ClipParams_pack(SkClipOp op, bool doAA) { return (doAABit << 4) | static_cast<int>(op); } -static inline SkClipOp ClipParams_unpackRegionOp(uint32_t packed) { - return (SkClipOp)(packed & 0xF); +template <typename T> T asValidEnum(SkReadBuffer* buffer, uint32_t candidate) { + + if (buffer->validate(candidate <= static_cast<uint32_t>(T::kMax_EnumValue))) { + return static_cast<T>(candidate); + } + + return T::kMax_EnumValue; +} + +static inline SkClipOp ClipParams_unpackRegionOp(SkReadBuffer* buffer, uint32_t packed) { + return asValidEnum<SkClipOp>(buffer, packed & 0xF); } static inline bool ClipParams_unpackDoAA(uint32_t packed) { diff --git a/src/core/SkPicturePlayback.cpp b/src/core/SkPicturePlayback.cpp index 85e5c03cad..c52233aca1 100644 --- a/src/core/SkPicturePlayback.cpp +++ b/src/core/SkPicturePlayback.cpp @@ -136,7 +136,7 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader, case CLIP_PATH: { const SkPath& path = fPictureData->getPath(reader); uint32_t packed = reader->readInt(); - SkClipOp clipOp = ClipParams_unpackRegionOp(packed); + SkClipOp clipOp = ClipParams_unpackRegionOp(reader, packed); bool doAA = ClipParams_unpackDoAA(packed); size_t offsetToRestore = reader->readInt(); BREAK_ON_READ_ERROR(reader); @@ -151,7 +151,7 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader, SkRegion region; reader->readRegion(®ion); uint32_t packed = reader->readInt(); - SkClipOp clipOp = ClipParams_unpackRegionOp(packed); + SkClipOp clipOp = ClipParams_unpackRegionOp(reader, packed); size_t offsetToRestore = reader->readInt(); BREAK_ON_READ_ERROR(reader); @@ -165,7 +165,7 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader, SkRect rect; reader->readRect(&rect); uint32_t packed = reader->readInt(); - SkClipOp clipOp = ClipParams_unpackRegionOp(packed); + SkClipOp clipOp = ClipParams_unpackRegionOp(reader, packed); bool doAA = ClipParams_unpackDoAA(packed); size_t offsetToRestore = reader->readInt(); BREAK_ON_READ_ERROR(reader); @@ -180,7 +180,7 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader, SkRRect rrect; reader->readRRect(&rrect); uint32_t packed = reader->readInt(); - SkClipOp clipOp = ClipParams_unpackRegionOp(packed); + SkClipOp clipOp = ClipParams_unpackRegionOp(reader, packed); bool doAA = ClipParams_unpackDoAA(packed); size_t offsetToRestore = reader->readInt(); BREAK_ON_READ_ERROR(reader); diff --git a/src/effects/Sk1DPathEffect.cpp b/src/effects/Sk1DPathEffect.cpp index 26cd046aa8..2247a79993 100644 --- a/src/effects/Sk1DPathEffect.cpp +++ b/src/effects/Sk1DPathEffect.cpp @@ -205,7 +205,7 @@ void SkPath1DPathEffect::toString(SkString* str) const { sk_sp<SkPathEffect> SkPath1DPathEffect::Make(const SkPath& path, SkScalar advance, SkScalar phase, Style style) { - if (advance <= 0 || path.isEmpty()) { + if (advance <= 0 || !SkScalarIsFinite(advance) || path.isEmpty()) { return nullptr; } return sk_sp<SkPathEffect>(new SkPath1DPathEffect(path, advance, phase, style)); diff --git a/src/effects/SkBlurMaskFilter.cpp b/src/effects/SkBlurMaskFilter.cpp index 84d9e18703..f56c273211 100644 --- a/src/effects/SkBlurMaskFilter.cpp +++ b/src/effects/SkBlurMaskFilter.cpp @@ -128,14 +128,12 @@ const SkScalar SkBlurMaskFilterImpl::kMAX_BLUR_SIGMA = SkIntToScalar(128); sk_sp<SkMaskFilter> SkBlurMaskFilter::Make(SkBlurStyle style, SkScalar sigma, const SkRect& occluder, uint32_t flags) { + SkASSERT(!(flags & ~SkBlurMaskFilter::kAll_BlurFlag)); + SkASSERT(style <= kLastEnum_SkBlurStyle); + if (!SkScalarIsFinite(sigma) || sigma <= 0) { return nullptr; } - if ((unsigned)style > (unsigned)kLastEnum_SkBlurStyle) { - return nullptr; - } - SkASSERT(flags <= SkBlurMaskFilter::kAll_BlurFlag); - flags &= SkBlurMaskFilter::kAll_BlurFlag; return sk_sp<SkMaskFilter>(new SkBlurMaskFilterImpl(sigma, style, occluder, flags)); } @@ -735,7 +733,12 @@ void SkBlurMaskFilterImpl::computeFastBounds(const SkRect& src, sk_sp<SkFlattenable> SkBlurMaskFilterImpl::CreateProc(SkReadBuffer& buffer) { const SkScalar sigma = buffer.readScalar(); const unsigned style = buffer.readUInt(); - const unsigned flags = buffer.readUInt(); + unsigned flags = buffer.readUInt(); + + buffer.validate(style <= kLastEnum_SkBlurStyle); + buffer.validate(!(flags & ~SkBlurMaskFilter::kAll_BlurFlag)); + + flags &= SkBlurMaskFilter::kAll_BlurFlag; SkRect occluder; if (buffer.isVersionLT(SkReadBuffer::kBlurMaskFilterWritesOccluder)) { |