From 12a4dc985b894083a9130d8f5770e67656418b52 Mon Sep 17 00:00:00 2001
From: Leon Scroggins III <scroggo@google.com>
Date: Mon, 5 Jun 2017 14:06:57 -0400
Subject: Defend against ICOs with large BMPs embedded

If the ICO reports that it has a large BMP file embedded, do not
crash if we attempt to allocate too much memory.

Bug: b/38116746
Change-Id: I70eb66f5e4ffc15587007b398bbe843665eae500
Reviewed-on: https://skia-review.googlesource.com/18447
Reviewed-by: Matt Sarett <msarett@google.com>
Commit-Queue: Leon Scroggins <scroggo@google.com>
---
 resources/invalid_images/b38116746.ico | Bin 0 -> 1024 bytes
 src/codec/SkIcoCodec.cpp               |  11 +++++++++--
 tests/BadIcoTest.cpp                   |   1 +
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 resources/invalid_images/b38116746.ico

diff --git a/resources/invalid_images/b38116746.ico b/resources/invalid_images/b38116746.ico
new file mode 100644
index 0000000000..35ee5b5a28
Binary files /dev/null and b/resources/invalid_images/b38116746.ico differ
diff --git a/src/codec/SkIcoCodec.cpp b/src/codec/SkIcoCodec.cpp
index 9ea092efc0..9d424f3e4e 100644
--- a/src/codec/SkIcoCodec.cpp
+++ b/src/codec/SkIcoCodec.cpp
@@ -128,11 +128,18 @@ SkCodec* SkIcoCodec::NewFromStream(SkStream* stream) {
         bytesRead = offset;
 
         // Create a new stream for the embedded codec
-        sk_sp<SkData> data(SkData::MakeFromStream(inputStream.get(), size));
-        if (nullptr == data.get()) {
+        SkAutoFree buffer(sk_malloc_flags(size, 0));
+        if (!buffer) {
+            SkCodecPrintf("Warning: OOM trying to create embedded stream.\n");
+            break;
+        }
+
+        if (inputStream->read(buffer.get(), size) != size) {
             SkCodecPrintf("Warning: could not create embedded stream.\n");
             break;
         }
+
+        sk_sp<SkData> data(SkData::MakeFromMalloc(buffer.release(), size));
         std::unique_ptr<SkMemoryStream> embeddedStream(new SkMemoryStream(data));
         bytesRead += size;
 
diff --git a/tests/BadIcoTest.cpp b/tests/BadIcoTest.cpp
index 229e9bc44e..670c2ac311 100644
--- a/tests/BadIcoTest.cpp
+++ b/tests/BadIcoTest.cpp
@@ -24,6 +24,7 @@ DEF_TEST(BadImage, reporter) {
         "ico_fuzz1.ico",
         "skbug3442.webp",
         "skbug3429.webp",
+        "b38116746.ico",
     };
 
     const char* badImagesFolder = "invalid_images";
-- 
cgit v1.2.3