From fee7cbaf44553dda1a0dd4bfc87a1dfc0d7dd369 Mon Sep 17 00:00:00 2001
From: Leon Scroggins III <scroggo@google.com>
Date: Tue, 13 Feb 2018 16:41:03 -0500
Subject: Check the length of marker before reading it

Bug: os-fuzz:6295
Change-Id: I0ea9a3c54d61d41f21f2e9b945ab83fa2beb00d8
Reviewed-on: https://skia-review.googlesource.com/107025
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Leon Scroggins <scroggo@google.com>
---
 resources/invalid_images/osfuzz6295.webp | Bin 0 -> 48 bytes
 src/codec/SkJpegCodec.cpp                |   3 ++-
 tests/CodecTest.cpp                      |  13 ++++++++++---
 3 files changed, 12 insertions(+), 4 deletions(-)
 create mode 100644 resources/invalid_images/osfuzz6295.webp

diff --git a/resources/invalid_images/osfuzz6295.webp b/resources/invalid_images/osfuzz6295.webp
new file mode 100644
index 0000000000..bb20aba1a7
Binary files /dev/null and b/resources/invalid_images/osfuzz6295.webp differ
diff --git a/src/codec/SkJpegCodec.cpp b/src/codec/SkJpegCodec.cpp
index d2c023b437..4f48886be2 100644
--- a/src/codec/SkJpegCodec.cpp
+++ b/src/codec/SkJpegCodec.cpp
@@ -62,7 +62,8 @@ static bool is_orientation_marker(jpeg_marker_struct* marker, SkEncodedOrigin* o
 
 bool is_orientation_marker(const uint8_t* data, size_t data_length, SkEncodedOrigin* orientation) {
     bool littleEndian;
-    if (!is_valid_endian_marker(data, &littleEndian)) {
+    // We need eight bytes to read the endian marker and the offset, below.
+    if (data_length < 8 || !is_valid_endian_marker(data, &littleEndian)) {
         return false;
     }
 
diff --git a/tests/CodecTest.cpp b/tests/CodecTest.cpp
index df94547600..8172751cf6 100644
--- a/tests/CodecTest.cpp
+++ b/tests/CodecTest.cpp
@@ -621,14 +621,20 @@ DEF_TEST(Codec_Dimensions, r) {
 }
 
 static void test_invalid(skiatest::Reporter* r, const char path[]) {
-    std::unique_ptr<SkStream> stream(GetResourceAsStream(path));
-    if (!stream) {
+    auto data = GetResourceAsData(path);
+    if (!data) {
+        ERRORF(r, "Failed to get resources %s", path);
         return;
     }
-    REPORTER_ASSERT(r, !SkCodec::MakeFromStream(std::move(stream)));
+
+    REPORTER_ASSERT(r, !SkCodec::MakeFromData(data));
 }
 
 DEF_TEST(Codec_Empty, r) {
+    if (GetResourcePath().isEmpty()) {
+        return;
+    }
+
     // Test images that should not be able to create a codec
     test_invalid(r, "empty_images/zero-dims.gif");
     test_invalid(r, "empty_images/zero-embedded.ico");
@@ -648,6 +654,7 @@ DEF_TEST(Codec_Empty, r) {
     test_invalid(r, "empty_images/zero_height.tiff");
 #endif
     test_invalid(r, "invalid_images/b37623797.ico");
+    test_invalid(r, "invalid_images/osfuzz6295.webp");
 }
 
 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
-- 
cgit v1.2.3