diff options
author | Kevin Lubick <kjlubick@google.com> | 2018-05-16 13:36:57 -0400 |
---|---|---|
committer | Skia Commit-Bot <skia-commit-bot@chromium.org> | 2018-05-16 18:07:57 +0000 |
commit | 9fba557ad559f337b4ba3dcf5ab117cb68a3887a (patch) | |
tree | c25c32bd7797097ef640899d0066cf87a4c005b8 /src | |
parent | 3c042263758ba6f016e1a44edd43eb3508efbb46 (diff) |
Remove problematic pre-allocations when deserializing
The fuzzer would frequently OOM on these.
Bug: skia:7937
Change-Id: I5e6a7dabeca327452f774100c9db05cd6be4cb06
Reviewed-on: https://skia-review.googlesource.com/128551
Reviewed-by: Florin Malita <fmalita@chromium.org>
Reviewed-by: Mike Klein <mtklein@google.com>
Commit-Queue: Mike Klein <mtklein@google.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/core/SkPictureData.cpp | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/src/core/SkPictureData.cpp b/src/core/SkPictureData.cpp index 6ce3b5c309..571c6d7b35 100644 --- a/src/core/SkPictureData.cpp +++ b/src/core/SkPictureData.cpp @@ -395,9 +395,9 @@ void SkPictureData::parseBufferTag(SkReadBuffer& buffer, uint32_t tag, uint32_t return; } const int count = SkToInt(size); - fPaints.reset(count); + for (int i = 0; i < count; ++i) { - if (!buffer.readPaint(&fPaints[i])) { + if (!buffer.readPaint(&fPaints.push_back())) { return; } } @@ -408,9 +408,11 @@ void SkPictureData::parseBufferTag(SkReadBuffer& buffer, uint32_t tag, uint32_t if (!buffer.validate(count >= 0)) { return; } - fPaths.reset(count); for (int i = 0; i < count; i++) { - buffer.readPath(&fPaths[i]); + buffer.readPath(&fPaths.push_back()); + if (!buffer.isValid()) { + return; + } } } break; case SK_PICT_TEXTBLOB_BUFFER_TAG: @@ -423,6 +425,11 @@ void SkPictureData::parseBufferTag(SkReadBuffer& buffer, uint32_t tag, uint32_t new_array_from_buffer(buffer, size, fImages, create_image_from_buffer); break; case SK_PICT_READER_TAG: { + // Preflight check that we can initialize all data from the buffer + // before allocating it. + if (!buffer.validate(size <= buffer.available())) { + return; + } auto data(SkData::MakeUninitialized(size)); if (!buffer.readByteArray(data->writable_data(), size) || !buffer.validate(nullptr == fOpData)) { |