Revert "Revert "Fix SkPathRef deserialization malloc crash""

This reverts commit a4ce4b1f6bef22e7ca5c7a952197fc2bc70923fc.

Fix SkPathRef deserialization malloc crash

If the path says it has more points/verbs/etc than the buffer could
be holding, then resetToSize could try to allocate something huge
and crash.

Bug: skia:
Change-Id: I23b8870e9f74386aca89fb8f9a60d3b452044094
Reviewed-on: https://skia-review.googlesource.com/26805
Commit-Queue: Mike Klein <mtklein@chromium.org>
Reviewed-by: Mike Klein <mtklein@chromium.org>

1 files changed, 55 insertions, 0 deletions

diff --git a/tests/PathTest.cpp b/tests/PathTest.cpp
index 117da5bdeb..cdaa1c5845 100644
--- a/tests/PathTest.cpp
+++ b/tests/PathTest.cpp
@@ -4775,3 +4775,58 @@ DEF_TEST(skbug_6450, r) {
     orr.setRectRadii(ro, rdo);
     SkMakeNullCanvas()->drawDRRect(orr, irr, SkPaint());
 }
+
+DEF_TEST(PathRefSerialization, reporter) {
+    SkPath path;
+    const size_t numMoves = 5;
+    const size_t numConics = 7;
+    const size_t numPoints = numMoves + 2 * numConics;
+    const size_t numVerbs = numMoves + numConics;
+    for (size_t i = 0; i < numMoves; ++i) path.moveTo(1, 2);
+    for (size_t i = 0; i < numConics; ++i) path.conicTo(1, 2, 3, 4, 5);
+    REPORTER_ASSERT(reporter, path.countPoints() == numPoints);
+    REPORTER_ASSERT(reporter, path.countVerbs() == numVerbs);
+
+    // Verify that path serializes/deserializes properly.
+    sk_sp<SkData> data = path.serialize();
+    size_t bytesWritten = data->size();
+
+    {
+        SkPath readBack;
+        REPORTER_ASSERT(reporter, readBack != path);
+        size_t bytesRead = readBack.readFromMemory(data->data(), bytesWritten);
+        REPORTER_ASSERT(reporter, bytesRead == bytesWritten);
+        REPORTER_ASSERT(reporter, readBack == path);
+    }
+
+    // uint32_t[] offset into serialized path.
+    const size_t verbCountOffset = 4;
+    const size_t pointCountOffset = 5;
+    const size_t conicCountOffset = 6;
+
+    // Verify that this test is changing the right values.
+    const int* writtenValues = static_cast<const int*>(data->data());
+    REPORTER_ASSERT(reporter, writtenValues[verbCountOffset] == numVerbs);
+    REPORTER_ASSERT(reporter, writtenValues[pointCountOffset] == numPoints);
+    REPORTER_ASSERT(reporter, writtenValues[conicCountOffset] == numConics);
+
+    // Too many verbs, points, or conics fails to deserialize silently.
+    const int tooManyObjects = INT_MAX;
+    size_t offsets[] = {verbCountOffset, pointCountOffset, conicCountOffset};
+    for (size_t i = 0; i < 3; ++i) {
+        SkAutoMalloc storage_copy(bytesWritten);
+        memcpy(storage_copy.get(), data->data(), bytesWritten);
+        static_cast<int*>(storage_copy.get())[offsets[i]] = tooManyObjects;
+        SkPath readBack;
+        size_t bytesRead = readBack.readFromMemory(storage_copy.get(), bytesWritten);
+        REPORTER_ASSERT(reporter, !bytesRead);
+    }
+
+    // One less byte (rounded down to alignment) than was written will also
+    // fail to be deserialized.
+    {
+        SkPath readBack;
+        size_t bytesRead = readBack.readFromMemory(data->data(), bytesWritten - 4);
+        REPORTER_ASSERT(reporter, !bytesRead);
+    }
+}