diff options
author | Mike Reed <reed@google.com> | 2017-07-26 17:33:44 -0400 |
---|---|---|
committer | Skia Commit-Bot <skia-commit-bot@chromium.org> | 2017-07-27 12:15:03 +0000 |
commit | 41a930f85bc3988cfbb47a902b03a9830f8149bb (patch) | |
tree | d912d3e1f69ce84cce68199e172e9538d97f49c9 /tests/PathTest.cpp | |
parent | 6cd51b51d6603a3100b147c45f38697f2f199fc6 (diff) |
Revert "Revert "Fix SkPathRef deserialization malloc crash""
This reverts commit a4ce4b1f6bef22e7ca5c7a952197fc2bc70923fc.
Fix SkPathRef deserialization malloc crash
If the path says it has more points/verbs/etc than the buffer could
be holding, then resetToSize could try to allocate something huge
and crash.
Bug: skia:
Change-Id: I23b8870e9f74386aca89fb8f9a60d3b452044094
Reviewed-on: https://skia-review.googlesource.com/26805
Commit-Queue: Mike Klein <mtklein@chromium.org>
Reviewed-by: Mike Klein <mtklein@chromium.org>
Diffstat (limited to 'tests/PathTest.cpp')
-rw-r--r-- | tests/PathTest.cpp | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/tests/PathTest.cpp b/tests/PathTest.cpp index 117da5bdeb..cdaa1c5845 100644 --- a/tests/PathTest.cpp +++ b/tests/PathTest.cpp @@ -4775,3 +4775,58 @@ DEF_TEST(skbug_6450, r) { orr.setRectRadii(ro, rdo); SkMakeNullCanvas()->drawDRRect(orr, irr, SkPaint()); } + +DEF_TEST(PathRefSerialization, reporter) { + SkPath path; + const size_t numMoves = 5; + const size_t numConics = 7; + const size_t numPoints = numMoves + 2 * numConics; + const size_t numVerbs = numMoves + numConics; + for (size_t i = 0; i < numMoves; ++i) path.moveTo(1, 2); + for (size_t i = 0; i < numConics; ++i) path.conicTo(1, 2, 3, 4, 5); + REPORTER_ASSERT(reporter, path.countPoints() == numPoints); + REPORTER_ASSERT(reporter, path.countVerbs() == numVerbs); + + // Verify that path serializes/deserializes properly. + sk_sp<SkData> data = path.serialize(); + size_t bytesWritten = data->size(); + + { + SkPath readBack; + REPORTER_ASSERT(reporter, readBack != path); + size_t bytesRead = readBack.readFromMemory(data->data(), bytesWritten); + REPORTER_ASSERT(reporter, bytesRead == bytesWritten); + REPORTER_ASSERT(reporter, readBack == path); + } + + // uint32_t[] offset into serialized path. + const size_t verbCountOffset = 4; + const size_t pointCountOffset = 5; + const size_t conicCountOffset = 6; + + // Verify that this test is changing the right values. + const int* writtenValues = static_cast<const int*>(data->data()); + REPORTER_ASSERT(reporter, writtenValues[verbCountOffset] == numVerbs); + REPORTER_ASSERT(reporter, writtenValues[pointCountOffset] == numPoints); + REPORTER_ASSERT(reporter, writtenValues[conicCountOffset] == numConics); + + // Too many verbs, points, or conics fails to deserialize silently. + const int tooManyObjects = INT_MAX; + size_t offsets[] = {verbCountOffset, pointCountOffset, conicCountOffset}; + for (size_t i = 0; i < 3; ++i) { + SkAutoMalloc storage_copy(bytesWritten); + memcpy(storage_copy.get(), data->data(), bytesWritten); + static_cast<int*>(storage_copy.get())[offsets[i]] = tooManyObjects; + SkPath readBack; + size_t bytesRead = readBack.readFromMemory(storage_copy.get(), bytesWritten); + REPORTER_ASSERT(reporter, !bytesRead); + } + + // One less byte (rounded down to alignment) than was written will also + // fail to be deserialized. + { + SkPath readBack; + size_t bytesRead = readBack.readFromMemory(data->data(), bytesWritten - 4); + REPORTER_ASSERT(reporter, !bytesRead); + } +} |