Fix fuzzer-found deserialization bugs

This fixes deserialization bugs found by fuzzing SkPaintImageFilter. BUG=576908,576910 GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1589533002 Review URL: https://codereview.chromium.org/1589533002
author: ajuma <ajuma@chromium.org> 2016-01-13 13:46:31 -0800
committer: Commit bot <commit-bot@chromium.org> 2016-01-13 13:46:32 -0800
commit: f8aec588bfd2df17130ee93593a8f4ae781afe1f (patch)
tree: 1e351d951aa5cafd57155c59d968f5c4248c8451 /src
parent: 97c40072b0ed5fdca3724ec79dd09d5467a981b5 (diff)
4 files changed, 16 insertions, 13 deletions
diff --git a/src/core/SkBuffer.cpp b/src/core/SkBuffer.cpp
index 86c3bed3f1..df8dc69594 100644
--- a/src/core/SkBuffer.cpp
+++ b/src/core/SkBuffer.cpp
@@ -35,7 +35,7 @@ size_t SkRBuffer::skipToAlign4()
 }
 
 bool SkRBufferWithSizeCheck::read(void* buffer, size_t size) {
-    fError = fError || (fPos + size > fStop);
+    fError = fError || (size > static_cast<size_t>(fStop - fPos));
     if (!fError && (size > 0)) {
         readNoSizeCheck(buffer, size);
     }
diff --git a/src/core/SkPaint.cpp b/src/core/SkPaint.cpp
index c0e552ae35..e5fe975bcd 100644
--- a/src/core/SkPaint.cpp
+++ b/src/core/SkPaint.cpp
@@ -1946,6 +1946,9 @@ void SkPaint::flatten(SkWriteBuffer& buffer) const {
 
 void SkPaint::unflatten(SkReadBuffer& buffer) {
     SkASSERT(SkAlign4(kPODPaintSize) == kPODPaintSize);
+    if (!buffer.validateAvailable(kPODPaintSize)) {
+        return;
+    }
     const void* podData = buffer.skip(kPODPaintSize);
     const uint32_t* pod = reinterpret_cast<const uint32_t*>(podData);
 
diff --git a/src/core/SkPath.cpp b/src/core/SkPath.cpp
index ab8d7359d2..4af2dad526 100644
--- a/src/core/SkPath.cpp
+++ b/src/core/SkPath.cpp
@@ -1909,6 +1909,13 @@ size_t SkPath::readFromMemory(const void* storage, size_t length) {
     uint8_t dir = (packed >> kDirection_SerializationShift) & 0x3;
     fIsVolatile = (packed >> kIsVolatile_SerializationShift) & 0x1;
     SkPathRef* pathRef = SkPathRef::CreateFromBuffer(&buffer);
+    if (!pathRef) {
+        return 0;
+    }
+
+    fPathRef.reset(pathRef);
+    SkDEBUGCODE(this->validate();)
+    buffer.skipToAlign4();
 
     // compatibility check
     if (version < kPathPrivFirstDirection_Version) {
@@ -1929,17 +1936,7 @@ size_t SkPath::readFromMemory(const void* storage, size_t length) {
         fFirstDirection = dir;
     }
 
-    size_t sizeRead = 0;
-    if (buffer.isValid()) {
-        fPathRef.reset(pathRef);
-        SkDEBUGCODE(this->validate();)
-        buffer.skipToAlign4();
-        sizeRead = buffer.pos();
-    } else if (pathRef) {
-        // If the buffer is not valid, pathRef should be nullptr
-        sk_throw();
-    }
-    return sizeRead;
+    return buffer.pos();
 }
 
 ///////////////////////////////////////////////////////////////////////////////
diff --git a/src/core/SkPathRef.cpp b/src/core/SkPathRef.cpp
index 28bffcbde8..cf4e8ffba2 100644
--- a/src/core/SkPathRef.cpp
+++ b/src/core/SkPathRef.cpp
@@ -138,8 +138,11 @@ SkPathRef* SkPathRef::CreateFromBuffer(SkRBuffer* buffer) {
     int32_t verbCount, pointCount, conicCount;
     if (!buffer->readU32(&(ref->fGenerationID)) ||
         !buffer->readS32(&verbCount) ||
+        verbCount < 0 ||
         !buffer->readS32(&pointCount) ||
-        !buffer->readS32(&conicCount)) {
+        pointCount < 0 ||
+        !buffer->readS32(&conicCount) ||
+        conicCount < 0) {
         delete ref;
         return nullptr;
     }
author	ajuma <ajuma@chromium.org>	2016-01-13 13:46:31 -0800
committer	Commit bot <commit-bot@chromium.org>	2016-01-13 13:46:32 -0800
commit	f8aec588bfd2df17130ee93593a8f4ae781afe1f (patch)
tree	1e351d951aa5cafd57155c59d968f5c4248c8451 /src
parent	97c40072b0ed5fdca3724ec79dd09d5467a981b5 (diff)