From c2ea327d14801b4001716619c7d002caa37a1574 Mon Sep 17 00:00:00 2001
From: Florin Malita <fmalita@chromium.org>
Date: Thu, 10 May 2018 09:41:38 -0400
Subject: Validate readByteArrayAsData size

Check that the reader has enough data before attempting to allocate the
buffer.

Also update to return nullptr on read failures.

Change-Id: Ia1ea8f611bad95cf3a4493b12582ac3fa7c2b00f
Reviewed-on: https://skia-review.googlesource.com/127129
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Florin Malita <fmalita@chromium.org>
---
 src/pipe/SkPipeReader.cpp | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'src/pipe')

diff --git a/src/pipe/SkPipeReader.cpp b/src/pipe/SkPipeReader.cpp
index 2614c4ecd5..ada4a21342 100644
--- a/src/pipe/SkPipeReader.cpp
+++ b/src/pipe/SkPipeReader.cpp
@@ -562,8 +562,10 @@ static void drawImageLattice_handler(SkPipeReader& reader, uint32_t packedVerb,
 static void drawVertices_handler(SkPipeReader& reader, uint32_t packedVerb, SkCanvas* canvas) {
     SkASSERT(SkPipeVerb::kDrawVertices == unpack_verb(packedVerb));
     SkBlendMode bmode = (SkBlendMode)unpack_verb_extra(packedVerb);
-    sk_sp<SkData> data = reader.readByteArrayAsData();
-    canvas->drawVertices(SkVertices::Decode(data->data(), data->size()), bmode, read_paint(reader));
+    if (sk_sp<SkData> data = reader.readByteArrayAsData()) {
+        canvas->drawVertices(SkVertices::Decode(data->data(), data->size()), bmode,
+                             read_paint(reader));
+    }
 }
 
 static void drawPicture_handler(SkPipeReader& reader, uint32_t packedVerb, SkCanvas* canvas) {
@@ -634,7 +636,7 @@ static void defineImage_handler(SkPipeReader& reader, uint32_t packedVerb, SkCan
     } else {
         // we are defining a new image
         sk_sp<SkData> data = reader.readByteArrayAsData();
-        sk_sp<SkImage> image = inflator->makeImage(data);
+        sk_sp<SkImage> image = data ? inflator->makeImage(data) : nullptr;
         if (!image) {
             SkDebugf("-- failed to decode\n");
         }
@@ -663,7 +665,7 @@ static void defineTypeface_handler(SkPipeReader& reader, uint32_t packedVerb, Sk
         // we are defining a new image
         sk_sp<SkData> data = reader.readByteArrayAsData();
         // TODO: seems like we could "peek" to see the array, and not need to copy it.
-        sk_sp<SkTypeface> tf = inflator->makeTypeface(data->data(), data->size());
+        sk_sp<SkTypeface> tf = data ? inflator->makeTypeface(data->data(), data->size()) : nullptr;
         inflator->setTypeface(index, tf.get());
     }
 }
-- 
cgit v1.2.3