diff options
| author |  raftias <raftias@google.com> | 2016-09-29 14:31:44 -0400 |
|---|---|---|
| committer |  Skia Commit-Bot <skia-commit-bot@chromium.org> | 2016-09-29 18:59:53 +0000 |
| commit | c6cc28c35be30f9ea144f433f3f04273674e29ed (patch) | |
| tree | 8bc434df227d9c3c8e450c993f43ba92bcff517e /src | |
| parent | fa9f241a85c55c32a3fe2ae0324811de998f7a2e (diff) | |
Fixed invalid memory access issue in SkColorSpaceXform::apply()
Passing in a large buffer along with a source colour space that
used a CLUT would cause apply() to read freed heap memory, or
for smaller buffers read possibly re-used stack memory.
The code previously likely lucked out due to optimizations
removing most or all of the subsequent stack allocations.
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2759
Change-Id: I39f357bce080c4d737a83dd019f0d1ccbc56f995
Reviewed-on: https://skia-review.googlesource.com/2759
Commit-Queue: Robert Aftias <raftias@google.com>
Reviewed-by: Matt Sarett <msarett@google.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/SkColorSpaceXform.cpp | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/core/SkColorSpaceXform.cpp b/src/core/SkColorSpaceXform.cpp index 6f2f75b8b1..1c0dd880e7 100644 --- a/src/core/SkColorSpaceXform.cpp +++ b/src/core/SkColorSpaceXform.cpp @@ -1353,15 +1353,15 @@ const } } - if (fColorLUT) { - size_t storageBytes = len * sizeof(uint32_t); #if defined(GOOGLE3) - // Stack frame size is limited in GOOGLE3. - SkAutoSMalloc<256 * sizeof(uint32_t)> storage(storageBytes); + // Stack frame size is limited in GOOGLE3. + SkAutoSMalloc<256 * sizeof(uint32_t)> storage; #else - SkAutoSMalloc<1024 * sizeof(uint32_t)> storage(storageBytes); + SkAutoSMalloc<1024 * sizeof(uint32_t)> storage; #endif - + if (fColorLUT) { + size_t storageBytes = len * sizeof(uint32_t); + storage.reset(storageBytes); handle_color_lut((uint32_t*) storage.get(), src, len, fColorLUT.get()); src = (const uint32_t*) storage.get(); } |