| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This CL fixes 3 fuzzer bugs:
the rowBytes computation is really unfortunate in ReadRawPixels when width or height is negative
In two instances uints were being read through the underlying SkReader32 rather than going through the readUInt virtual
In skip SkAlign4 can wrap around and return an answer of 0 for large size_ts!!
Change-Id: I657e3afdb4804627604b59abc8008ccdfe47eab2
Reviewed-on: https://skia-review.googlesource.com/6332
Reviewed-by: Herb Derby <herb@google.com>
Commit-Queue: Robert Phillips <robertphillips@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has not caught on.
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=3321
Change-Id: Ib2ee4ef99bc89c8f4b7504e42a9d7d9dfc483015
Reviewed-on: https://skia-review.googlesource.com/3321
Reviewed-by: Leon Scroggins <scroggo@google.com>
Reviewed-by: Mike Klein <mtklein@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In one case the fuzzer was switching the picture's op code to an invalid value
In the other two the fuzzer was maxing out the number of points passed to drawPoints and the number of characters passed to drawTextRSXform. In these cases the validation would fail but still return a pointer into the data stream.
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2593
Change-Id: Id6d4e6b7bcbae38ace7ad1d92ffcfa5c02f9fb61
Reviewed-on: https://skia-review.googlesource.com/2593
Reviewed-by: Mike Reed <reed@google.com>
|
|
|
|
|
|
|
|
|
|
| |
Adjusted usage in color shader, and will also be using this
in gradients, soon.
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2334123003
Review-Url: https://codereview.chromium.org/2334123003
|
|
|
|
|
|
|
|
|
|
|
| |
This comes from the Skia fuzzer where it is inverting the RRect's rect which causes trouble down the line.
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2591
Change-Id: I5c34105a47369492d2df99d39a4e29116060ad37
Reviewed-on: https://skia-review.googlesource.com/2591
Reviewed-by: Mike Reed <reed@google.com>
Commit-Queue: Robert Phillips <robertphillips@google.com>
|
|
|
|
|
|
|
|
|
| |
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2290653002
TBR=mtklein
Review-Url: https://codereview.chromium.org/2290653002
|
|
|
|
|
|
|
|
|
|
| |
The main "fix" here was that the assert was checking the un-clamped input value rather than the clamped value.
The SkValidatingReadBuffer.cpp change was required to get the reproducing fuzz test case to complete.
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2107453002
Review-Url: https://codereview.chromium.org/2107453002
|
|
|
|
|
|
|
| |
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1937053002
Review-Url: https://codereview.chromium.org/1937053002
|
|
|
|
|
|
|
| |
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1936103002
Review-Url: https://codereview.chromium.org/1936103002
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now flattenables are serialized using a string name, so that
flattenables do not necessarily need to be registered before
serialization. They just need to override getTypeName().
Allows custom unflatten procs to be set on the SkReadBuffer.
This is optional if the flattenable is registered, but otherwise
must be called.
This was split off from:
https://codereview.chromium.org/1837913003/
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1858323002
Review URL: https://codereview.chromium.org/1858323002
|
|
|
|
|
|
|
|
|
| |
What appears to be happening in this fuzz is that a paint index inside the picture of an SkPictureImageFilter is getting changed to be out of range.
BUG=skia:5192
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1893423002
Review URL: https://codereview.chromium.org/1893423002
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following are unused in Chromium, Android, Mozilla, and Google3:
- SkFixedToScalar
- SkScalarToFixed
The following are additionally unused in Skia:
- SkStrAppendFixed
- SkWriteBuffer::writeFixed
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1841123002
Review URL: https://codereview.chromium.org/1841123002
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://codereview.chromium.org/1861013002/ )
Reason for revert:
See sugoi's comment.
Original issue's description:
> Delete SkFlattenable::Type (part 1)
>
> This should allow me to delete uses of SkFlattenable::Type in Chrome.
> Then I'll follow up with the full delete.
> https://codereview.chromium.org/1834303003/
>
> TBR=reed@google.com
>
> BUG=skia:
> GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1861013002
>
> Committed: https://skia.googlesource.com/skia/+/6b63536e917d86028630199c4eef4aa1597292ce
TBR=reed@google.com,mtklein@google.com,sugoi@chromium.org,senorblanco@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=skia:
Review URL: https://codereview.chromium.org/1860693005
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This should allow me to delete uses of SkFlattenable::Type in Chrome.
Then I'll follow up with the full delete.
https://codereview.chromium.org/1834303003/
TBR=reed@google.com
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1861013002
Review URL: https://codereview.chromium.org/1861013002
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://codereview.chromium.org/1834303003/ )
Reason for revert:
Used by Chrome.
c:\b\build\slave\workdir\build\src\cc\playback\compositing_display_item.cc(53): error C2039: 'GetFlattenableType': is not a member of 'SkColorFilter'
c:\b\build\slave\workdir\build\src\third_party\skia\include\core\skshader.h(19): note: see declaration of 'SkColorFilter'
c:\b\build\slave\workdir\build\src\cc\playback\compositing_display_item.cc(53): error C3861: 'GetFlattenableType': identifier not found
Original issue's description:
> Delete SkFlattenable::Type
>
> BUG=skia:
> GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1834303003
>
> Committed: https://skia.googlesource.com/skia/+/99d9231f6a4cb6b85b8637e9d8ae32f8bd7c466f
TBR=reed@google.com,msarett@google.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=skia:
Review URL: https://codereview.chromium.org/1853383002
|
|
|
|
|
|
|
| |
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1834303003
Review URL: https://codereview.chromium.org/1834303003
|
|
|
|
|
|
|
| |
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1855733002
Review URL: https://codereview.chromium.org/1855733002
|
|
|
|
|
|
|
|
| |
Add an assert to make sure we're not calling this unimplemented method.
BUG=skia:3978
Review URL: https://codereview.chromium.org/1341753003
|
|
|
|
|
|
| |
DOCS_PREVIEW= https://skia.org/?cl=1316233002
Review URL: https://codereview.chromium.org/1316233002
|
|
|
|
|
|
|
|
| |
In 32 bits, if the "element count" was under 32 bits, but "element count" * "element size" was over the 32 bit limit, the overflow was causing the read operation to appear as if it had succeded, even though it should have failed.
BUG=456828
Review URL: https://codereview.chromium.org/904833003
|
|
|
|
|
|
|
|
| |
When an error occurs reading a flattenable object, it should be unrefed instead of deleted because, in the case of SkXferMode, for example, we'd actually be deleting a cached object kept in a static array.
BUG=428789
Review URL: https://codereview.chromium.org/695633003
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
drawPatch now receives as parameter const SkPoint cubics[12]
Adjusted derived classes and serialization.
Ajusted GM's and benches that take into account combinations of optional
parameters, the scale of the patch and 4 different types of patches.
Planning on adding the extra functionality of SkPatch in another CL.
BUG=skia:
R=egdaniel@google.com, reed@google.com
Author: dandov@google.com
Review URL: https://codereview.chromium.org/463493002
|
|
|
|
|
|
|
|
|
|
|
| |
corresponding drawPath calls on classes that derive from SkCanvas.
BUG=skia:
R=egdaniel@google.com, bsalomon@google.com, mtklein@google.com, robertphillips@google.com
Author: dandov@google.com
Review URL: https://codereview.chromium.org/429343004
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=skia:
R=scroggo@google.com, halcanary@google.com
Author: reed@google.com
Review URL: https://codereview.chromium.org/295793002
git-svn-id: http://skia.googlecode.com/svn/trunk@14867 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
| |
git-svn-id: http://skia.googlecode.com/svn/trunk@14862 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 874423a81b5bc2541c7397e6ab00d5e7c9fdaf98.
TBR=scroggo
Author: reed@google.com
Review URL: https://codereview.chromium.org/288313009
git-svn-id: http://skia.googlecode.com/svn/trunk@14842 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(https://codereview.chromium.org/283273002/) (https://codereview.chromium.org/288343009/)
Reason for revert:
required blink change failed to land
Original issue's description:
> Remove unused (by clients) SkUnitMapper (https://codereview.chromium.org/283273002/)
>
> This reverts commit dd50c83b5b34dab3a077741861b50ed1f2bc6b8f.
>
> BUG=skia:
>
> Committed: http://code.google.com/p/skia/source/detail?r=14830
R=scroggo@google.com, reed@google.com
TBR=reed@google.com, scroggo@google.com
NOTREECHECKS=true
NOTRY=true
BUG=skia:
Author: reed@chromium.org
Review URL: https://codereview.chromium.org/296823008
git-svn-id: http://skia.googlecode.com/svn/trunk@14838 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(https://codereview.chromium.org/283273002/)
This reverts commit dd50c83b5b34dab3a077741861b50ed1f2bc6b8f.
BUG=skia:
R=scroggo@google.com
Author: reed@google.com
Review URL: https://codereview.chromium.org/288343009
git-svn-id: http://skia.googlecode.com/svn/trunk@14830 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(https://codereview.chromium.org/283273002/)
Reason for revert:
does not address all legacy callsites in chrome.
e.g.
[13:45:32.091872] ../../ui/native_theme/native_theme_base.cc:608:76: error: no matching function for call to ‘SkGradientShader::CreateLinear(SkPoint [3], SkColor [3], NULL, int, SkShader::TileMode, NULL)’
[13:45:32.091919] gradient_bounds, colors, NULL, 3, SkShader::kClamp_TileMode, NULL));
Original issue's description:
> remove unused (by clients) SkUnitMapper
>
> BUG=skia:
>
> Committed: http://code.google.com/p/skia/source/detail?r=14761
R=robertphillips@google.com, scroggo@google.com, george@mozilla.com
TBR=george@mozilla.com, robertphillips@google.com, scroggo@google.com
NOTREECHECKS=true
NOTRY=true
BUG=skia:
Author: reed@google.com
Review URL: https://codereview.chromium.org/287063009
git-svn-id: http://skia.googlecode.com/svn/trunk@14763 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=skia:
R=robertphillips@google.com, scroggo@google.com, george@mozilla.com
Author: reed@google.com
Review URL: https://codereview.chromium.org/283273002
git-svn-id: http://skia.googlecode.com/svn/trunk@14761 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An integer overflow was causing an issue when reading a string with a very large (or negative) size.
BUG=367764
R=senorblanco@google.com, senorblanco@chromium.org, reed@google.com, borenet@google.com
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/255693003
git-svn-id: http://skia.googlecode.com/svn/trunk@14434 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=skia:
R=mtklein@google.com
Author: reed@google.com
Review URL: https://codereview.chromium.org/247753003
git-svn-id: http://skia.googlecode.com/svn/trunk@14332 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed a few issues while attempting to use the new
serialization path for SkPicture inside a fuzzer:
- SkReadBuffer and SkValidatingReadBuffer both had a fReader
member instead of sharing the same member, which leads to
problems if a base class function is used
- In SkPicture, a header is now written as a single chunk of
data, so it also has to be read as a single chunk of data
- In the SkPicturePlayback destructor, a bad deserialization
would lead to a crash if we don't safely unref fOpData
- Also in SkPicturePlayback, if we only use a ReadBuffer for
the whole deserialization, additional tags must be added to
parseBufferTag()
- SkValidatingReadBuffer::readBitmap() was broken, but this
path wasn't usen't since the only use case for
SkValidatingReadBuffer is currently image filters and
bitmaps are unflattened as part of the deserialization of
SkBitmapSource
- SkPictureImageFilter was not deserializable. Added it to
SkGlobalInitialization*
- Added a test that exercises the SkPicture serialization /
deserialization code
BUG=skia:
R=senorblanco@google.com, senorblanco@chromium.org, reed@google.com, robertphillips@google.com
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/195223003
git-svn-id: http://skia.googlecode.com/svn/trunk@13764 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Eliminates SkFlattenable{Read,Write}Buffer, promoting SkOrdered{Read,Write}Buffer
a step each in the hierarchy.
What used to be this:
SkFlattenableWriteBuffer -> SkOrderedWriteBuffer
SkFlattenableReadBuffer -> SkOrderedReadBuffer
SkFlattenableReadBuffer -> SkValidatingReadBuffer
is now
SkWriteBuffer
SkReadBuffer -> SkValidatingReadBuffer
Benefits:
- code is simpler, names are less wordy
- the generic SkFlattenableFooBuffer code in SkPaint was incorrect; removed
- write buffers are completely devirtualized, important for record speed
This refactoring was mostly mechanical. You aren't going to find anything
interesting in files with less than 10 lines changed.
BUG=skia:
R=reed@google.com, scroggo@google.com, djsollen@google.com, mtklein@google.com
Author: mtklein@chromium.org
Review URL: https://codereview.chromium.org/134163010
git-svn-id: http://skia.googlecode.com/svn/trunk@13245 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Added the "isAvailable" function to check how much bytes are remaining in the stream before doing potentially large mallocs. That way, we can signal a bad stream instead of crashing.
- Added data validation in SkImageInfo.cpp
- Added NULL pointer check in displacement
- Modified the fuzzer for randomized bitmap types
BUG=328934,329254
R=senorblanco@google.com, senorblanco@chromium.org, reed@google.com, sugoi@google.com
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/116773002
git-svn-id: http://skia.googlecode.com/svn/trunk@12723 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also added early exit in SkImageFilter's constructor to avoid attempting to deserialize all inputs once a bad input has been found. This avoids hanging if a filter pretends to have 1 billion inputs when that's just an error on the number of inputs read by the filter.
BUG=326206,326197,326229
R=senorblanco@chromium.org, senorblanco@google.com, reed@google.com, sugoi@google.com
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/106943002
git-svn-id: http://skia.googlecode.com/svn/trunk@12544 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
| |
git-svn-id: http://skia.googlecode.com/svn/trunk@12428 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
| |
git-svn-id: http://skia.googlecode.com/svn/trunk@12427 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=323595
R=senorblanco@google.com, reed@google.com, sugoi@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/88643004
git-svn-id: http://skia.googlecode.com/svn/trunk@12410 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=321802,321790
R=reed@google.com, senorblanco@google.com
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/83073005
git-svn-id: http://skia.googlecode.com/svn/trunk@12362 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=
R=robertphillips@google.com, bsalomon@google.com, reed@google.com
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/61913002
git-svn-id: http://skia.googlecode.com/svn/trunk@12202 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
overflowing the buffer's stream.
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Committed: https://code.google.com/p/skia/source/detail?r=12114
Committed: https://code.google.com/p/skia/source/detail?r=12119
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/41253002
git-svn-id: http://skia.googlecode.com/svn/trunk@12130 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
| |
overflowing the buffer's stream."
This reverts commit 6bc22e8ef1ea70a1b58409aa21254358c50f149a.
git-svn-id: http://skia.googlecode.com/svn/trunk@12124 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
overflowing the buffer's stream.
BUG=
R=reed@google.com
Committed: https://code.google.com/p/skia/source/detail?r=12114
Review URL: https://codereview.chromium.org/41253002
git-svn-id: http://skia.googlecode.com/svn/trunk@12119 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
| |
('Assertion failures on various buildbots as of r12114')
git-svn-id: http://skia.googlecode.com/svn/trunk@12115 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
| |
overflowing the buffer's stream.
BUG=
R=reed@google.com
Review URL: https://codereview.chromium.org/41253002
git-svn-id: http://skia.googlecode.com/svn/trunk@12114 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=
Committed: http://code.google.com/p/skia/source/detail?r=11968
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org, bsalomon@google.com, robertphillips@google.com
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/44573002
git-svn-id: http://skia.googlecode.com/svn/trunk@11981 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1 ) Added check for bool to make sure is it either 0 or 1 and not garbage
2 ) Added more solid kernel size checks in SkMatrixConvolutionImageFilter
3 ) Make sure array size is validated in SkMergeImageFilter
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/23548034
git-svn-id: http://skia.googlecode.com/svn/trunk@11925 2bbb7eff-a529-9590-31e7-b0007b416f81
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I made it as simple as possible. The impact seems minimal and it should do what's necessary to make this code secure.
BUG=
Committed: http://code.google.com/p/skia/source/detail?r=11247
R=reed@google.com, scroggo@google.com, djsollen@google.com, sugoi@google.com, bsalomon@google.com, mtklein@google.com, senorblanco@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/23021015
git-svn-id: http://skia.googlecode.com/svn/trunk@11922 2bbb7eff-a529-9590-31e7-b0007b416f81
|