From d594dbec0407343b7ac13af9c4580ec5933ab060 Mon Sep 17 00:00:00 2001 From: "commit-bot@chromium.org" Date: Wed, 23 Oct 2013 18:33:18 +0000 Subject: Follow up to serialization validation code 1 ) Added check for bool to make sure is it either 0 or 1 and not garbage 2 ) Added more solid kernel size checks in SkMatrixConvolutionImageFilter 3 ) Make sure array size is validated in SkMergeImageFilter BUG= R=reed@google.com, mtklein@google.com, senorblanco@google.com, senorblanco@chromium.org Author: sugoi@chromium.org Review URL: https://codereview.chromium.org/23548034 git-svn-id: http://skia.googlecode.com/svn/trunk@11925 2bbb7eff-a529-9590-31e7-b0007b416f81 --- src/effects/SkMatrixConvolutionImageFilter.cpp | 20 +++++++++++++++----- src/effects/SkMergeImageFilter.cpp | 4 +++- 2 files changed, 18 insertions(+), 6 deletions(-) (limited to 'src/effects') diff --git a/src/effects/SkMatrixConvolutionImageFilter.cpp b/src/effects/SkMatrixConvolutionImageFilter.cpp index 909facb0c9..cac30e6a49 100644 --- a/src/effects/SkMatrixConvolutionImageFilter.cpp +++ b/src/effects/SkMatrixConvolutionImageFilter.cpp @@ -61,17 +61,27 @@ SkMatrixConvolutionImageFilter::SkMatrixConvolutionImageFilter(SkFlattenableRead : INHERITED(buffer) { fKernelSize.fWidth = buffer.readInt(); fKernelSize.fHeight = buffer.readInt(); - uint32_t size = fKernelSize.fWidth * fKernelSize.fHeight; - fKernel = SkNEW_ARRAY(SkScalar, size); - SkDEBUGCODE(uint32_t readSize = )buffer.readScalarArray(fKernel); - SkASSERT(readSize == size); + if ((fKernelSize.fWidth >= 1) && (fKernelSize.fHeight >= 1) && + // Make sure size won't be larger than a signed int, + // which would still be extremely large for a kernel, + // but we don't impose a hard limit for kernel size + (SK_MaxS32 / fKernelSize.fWidth >= fKernelSize.fHeight)) { + uint32_t size = fKernelSize.fWidth * fKernelSize.fHeight; + fKernel = SkNEW_ARRAY(SkScalar, size); + uint32_t readSize = buffer.readScalarArray(fKernel); + SkASSERT(readSize == size); + buffer.validate(readSize == size); + } else { + fKernel = 0; + } fGain = buffer.readScalar(); fBias = buffer.readScalar(); fTarget.fX = buffer.readInt(); fTarget.fY = buffer.readInt(); fTileMode = (TileMode) buffer.readInt(); fConvolveAlpha = buffer.readBool(); - buffer.validate(SkScalarIsFinite(fGain) && + buffer.validate((fKernel != 0) && + SkScalarIsFinite(fGain) && SkScalarIsFinite(fBias) && tile_mode_is_valid(fTileMode)); } diff --git a/src/effects/SkMergeImageFilter.cpp b/src/effects/SkMergeImageFilter.cpp index a5c32acaf7..4de1093612 100755 --- a/src/effects/SkMergeImageFilter.cpp +++ b/src/effects/SkMergeImageFilter.cpp @@ -161,7 +161,9 @@ SkMergeImageFilter::SkMergeImageFilter(SkFlattenableReadBuffer& buffer) : INHERI if (hasModes) { this->initAllocModes(); int nbInputs = countInputs(); - SkASSERT(buffer.getArrayCount() == nbInputs * sizeof(fModes[0])); + bool sizeMatches = buffer.getArrayCount() == nbInputs * sizeof(fModes[0]); + buffer.validate(sizeMatches); + SkASSERT(sizeMatches); buffer.readByteArray(fModes); for (int i = 0; i < nbInputs; ++i) { buffer.validate(SkIsValidMode((SkXfermode::Mode)fModes[i])); -- cgit v1.2.3