Remove problematic pre-allocations when deserializing

The fuzzer would frequently OOM on these. Bug: skia:7937 Change-Id: I5e6a7dabeca327452f774100c9db05cd6be4cb06 Reviewed-on: https://skia-review.googlesource.com/128551 Reviewed-by: Florin Malita <fmalita@chromium.org> Reviewed-by: Mike Klein <mtklein@google.com> Commit-Queue: Mike Klein <mtklein@google.com>
author: Kevin Lubick <kjlubick@google.com> 2018-05-16 13:36:57 -0400
committer: Skia Commit-Bot <skia-commit-bot@chromium.org> 2018-05-16 18:07:57 +0000
commit: 9fba557ad559f337b4ba3dcf5ab117cb68a3887a (patch)
tree: c25c32bd7797097ef640899d0066cf87a4c005b8 /src
parent: 3c042263758ba6f016e1a44edd43eb3508efbb46 (diff)
1 files changed, 11 insertions, 4 deletions
diff --git a/src/core/SkPictureData.cpp b/src/core/SkPictureData.cpp
index 6ce3b5c309..571c6d7b35 100644
--- a/src/core/SkPictureData.cpp
+++ b/src/core/SkPictureData.cpp
@@ -395,9 +395,9 @@ void SkPictureData::parseBufferTag(SkReadBuffer& buffer, uint32_t tag, uint32_t
                 return;
             }
             const int count = SkToInt(size);
-            fPaints.reset(count);
+
             for (int i = 0; i < count; ++i) {
-                if (!buffer.readPaint(&fPaints[i])) {
+                if (!buffer.readPaint(&fPaints.push_back())) {
                     return;
                 }
             }
@@ -408,9 +408,11 @@ void SkPictureData::parseBufferTag(SkReadBuffer& buffer, uint32_t tag, uint32_t
                 if (!buffer.validate(count >= 0)) {
                     return;
                 }
-                fPaths.reset(count);
                 for (int i = 0; i < count; i++) {
-                    buffer.readPath(&fPaths[i]);
+                    buffer.readPath(&fPaths.push_back());
+                    if (!buffer.isValid()) {
+                        return;
+                    }
                 }
             } break;
         case SK_PICT_TEXTBLOB_BUFFER_TAG:
@@ -423,6 +425,11 @@ void SkPictureData::parseBufferTag(SkReadBuffer& buffer, uint32_t tag, uint32_t
             new_array_from_buffer(buffer, size, fImages, create_image_from_buffer);
             break;
         case SK_PICT_READER_TAG: {
+            // Preflight check that we can initialize all data from the buffer
+            // before allocating it.
+            if (!buffer.validate(size <= buffer.available())) {
+                return;
+            }
             auto data(SkData::MakeUninitialized(size));
             if (!buffer.readByteArray(data->writable_data(), size) ||
                 !buffer.validate(nullptr == fOpData)) {
author	Kevin Lubick <kjlubick@google.com>	2018-05-16 13:36:57 -0400
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>	2018-05-16 18:07:57 +0000
commit	9fba557ad559f337b4ba3dcf5ab117cb68a3887a (patch)
tree	c25c32bd7797097ef640899d0066cf87a4c005b8 /src
parent	3c042263758ba6f016e1a44edd43eb3508efbb46 (diff)