aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
Diffstat
-rw-r--r--gyp/tests.gypi1
-rw-r--r--resources/invalid_images/sigabort_favicon.icobin0 -> 283937 bytes
-rw-r--r--resources/invalid_images/sigsegv_favicon.icobin0 -> 1150 bytes
-rw-r--r--resources/invalid_images/sigsegv_favicon_2.icobin0 -> 1406 bytes
-rw-r--r--src/images/SkImageDecoder_libico.cpp2
-rw-r--r--tests/BadIcoTest.cpp33
6 files changed, 35 insertions, 1 deletions
diff --git a/gyp/tests.gypi b/gyp/tests.gypi
index 4bdea1e1f0..fccbd1cf64 100644
--- a/gyp/tests.gypi
+++ b/gyp/tests.gypi
@@ -49,6 +49,7 @@
'../tests/AnnotationTest.cpp',
'../tests/AsADashTest.cpp',
'../tests/AtomicTest.cpp',
+ '../tests/BadIcoTest.cpp',
'../tests/BitSetTest.cpp',
'../tests/BitmapCopyTest.cpp',
'../tests/BitmapGetColorTest.cpp',
diff --git a/resources/invalid_images/sigabort_favicon.ico b/resources/invalid_images/sigabort_favicon.ico
new file mode 100644
index 0000000000..527d657814
--- /dev/null
+++ b/resources/invalid_images/sigabort_favicon.ico
Binary files differ
diff --git a/resources/invalid_images/sigsegv_favicon.ico b/resources/invalid_images/sigsegv_favicon.ico
new file mode 100644
index 0000000000..f488a24e48
--- /dev/null
+++ b/resources/invalid_images/sigsegv_favicon.ico
Binary files differ
diff --git a/resources/invalid_images/sigsegv_favicon_2.ico b/resources/invalid_images/sigsegv_favicon_2.ico
new file mode 100644
index 0000000000..49730dfe20
--- /dev/null
+++ b/resources/invalid_images/sigsegv_favicon_2.ico
Binary files differ
diff --git a/src/images/SkImageDecoder_libico.cpp b/src/images/SkImageDecoder_libico.cpp
index cd8a292edc..5240d09b86 100644
--- a/src/images/SkImageDecoder_libico.cpp
+++ b/src/images/SkImageDecoder_libico.cpp
@@ -159,7 +159,7 @@ SkImageDecoder::Result SkICOImageDecoder::onDecode(SkStream* stream, SkBitmap* b
const size_t size = read4Bytes(buf, 14 + choice*16); //matters?
const size_t offset = read4Bytes(buf, 18 + choice*16);
// promote the sum to 64-bits to avoid overflow
- if (((uint64_t)offset + size) > length) {
+ if (offset > length || size > length || ((uint64_t)offset + size) > length) {
return kFailure;
}
diff --git a/tests/BadIcoTest.cpp b/tests/BadIcoTest.cpp
new file mode 100644
index 0000000000..566f3d68a2
--- /dev/null
+++ b/tests/BadIcoTest.cpp
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2014 Google Inc.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "Resources.h"
+#include "Test.h"
+#include "SkBitmap.h"
+#include "SkImageDecoder.h"
+#include "SkOSFile.h"
+
+DEF_TEST(BadIco, reporter) {
+ const char* const badIcos [] = {
+ "sigabort_favicon.ico",
+ "sigsegv_favicon.ico",
+ "sigsegv_favicon_2.ico",
+ };
+
+ const char* badIcoFolder = "invalid_images";
+
+ SkString resourcePath = GetResourcePath(badIcoFolder);
+
+ SkBitmap bm;
+ for (size_t i = 0; i < SK_ARRAY_COUNT(badIcos); ++i) {
+ SkString fullPath = SkOSPath::Join(resourcePath.c_str(), badIcos[i]);
+ bool success = SkImageDecoder::DecodeFile(fullPath.c_str(), &bm);
+ // These files are invalid, and should not decode. More importantly,
+ // though, we reached here without crashing.
+ REPORTER_ASSERT(reporter, !success);
+ }
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-07 03:59:40 +0000