From 83239658f2dea7fdfd5d4f11521c0e2a326aa345 Mon Sep 17 00:00:00 2001
From: Leon Scroggins III <scroggo@google.com>
Date: Fri, 21 Apr 2017 13:47:12 -0400
Subject: Reland "Make SkPngCodec only read as much of the stream as necessary"

(Originally uploaded as 13900.)

Previously, SkPngCodec assumed that the stream only contained one
image, which ended at the end of the stream. It read the stream in
arbitrarily-sized chunks, and then passed that data to libpng for
processing.

If a stream contains more than one image, this may result in reading
beyond the end of the image, making future reads read the wrong data.

Now, SkPngCodec starts by reading 8 bytes at a time. After the
signature, 8 bytes is enough to know which chunk is next and how many
bytes are in the chunk.

When decoding the size, we stop when we reach IDAT, and when decoding
the image, we stop when we reach IEND.

This manual parsing is necessary to support APNG, which is planned in
the future. It also allows us to remove the SK_GOOGLE3_PNG_HACK, which
was a workaround for reading more than necessary at the beginning of
the image.

Add a test that simulates the issue, by decoding a special stream that
reports an error if the codec attempts to read beyond the end.

Temporarily disable the partial decoding tests for png. A larger change
will be necessary to get those working again, and no clients are
currently relying on incrementally decoding PNGs (i.e. decode part of
an image, then decode further with more data).

Include a workaround for older versions of libpng (e.g. 1.2 in
Google3). In older versions, if the row callback is null when the
IDAT header is processed, reading the image will fail. When we see the
IDAT, we save the length and process a recreated IDAT header later,
after the row callback has been set.

Bug: skia:5368
Bug:b/34073812
Test: Existing tests, plus a new test in dm.

Change-Id: I293a4ddc013b82669a8b735062228b26d0bce933
Reviewed-on: https://skia-review.googlesource.com/13984
Commit-Queue: Leon Scroggins <scroggo@google.com>
Reviewed-by: Matt Sarett <msarett@google.com>
---
 tests/CodecExactReadTest.cpp | 102 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 tests/CodecExactReadTest.cpp

(limited to 'tests/CodecExactReadTest.cpp')

diff --git a/tests/CodecExactReadTest.cpp b/tests/CodecExactReadTest.cpp
new file mode 100644
index 0000000000..7e0d8eaccc
--- /dev/null
+++ b/tests/CodecExactReadTest.cpp
@@ -0,0 +1,102 @@
+/*
+ * Copyright 2017 Google Inc.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "Resources.h"
+#include "Test.h"
+
+#include "SkBitmap.h"
+#include "SkCodec.h"
+#include "SkData.h"
+#include "SkStream.h"
+
+namespace {
+// This class emits a skiatest failure if a client attempts to read beyond its
+// end. Since it is used with complete, valid images, and contains nothing
+// after the encoded image data, it will emit a failure if the client attempts
+// to read beyond the logical end of the data.
+class MyStream : public SkStream {
+public:
+    static MyStream* Make(const char* path, skiatest::Reporter* r) {
+        SkASSERT(path);
+        sk_sp<SkData> data(GetResourceAsData(path));
+        if (!data) {
+            return nullptr;
+        }
+
+        return new MyStream(path, std::move(data), r);
+    }
+
+    size_t read(void* buf, size_t bytes) override {
+        const size_t remaining = fStream.getLength() - fStream.getPosition();
+        if (bytes > remaining) {
+            ERRORF(fReporter, "Tried to read %lu bytes (only %lu remaining) from %s",
+                   bytes, remaining, fPath);
+        }
+        return fStream.read(buf, bytes);
+    }
+
+    bool rewind() override {
+        return fStream.rewind();
+    }
+
+    bool isAtEnd() const override {
+        return fStream.isAtEnd();
+    }
+private:
+    const char* fPath;
+    SkMemoryStream fStream;
+    skiatest::Reporter* fReporter;  // Unowned
+
+    MyStream(const char* path, sk_sp<SkData> data, skiatest::Reporter* r)
+        : fPath(path)
+        , fStream(std::move(data))
+        , fReporter(r)
+    {}
+};
+} // namespace
+
+// Test that SkPngCodec does not attempt to read its input beyond the logical
+// end of its data. Some other SkCodecs do, but some Android apps rely on not
+// doing so for PNGs.
+DEF_TEST(Codec_end, r) {
+    for (const char* path : { "plane.png",
+                              "yellow_rose.png",
+                              "plane_interlaced.png" }) {
+        std::unique_ptr<MyStream> stream(MyStream::Make(path, r));
+        if (!stream) {
+            continue;
+        }
+
+        std::unique_ptr<SkCodec> codec(SkCodec::NewFromStream(stream.release()));
+        if (!codec) {
+            ERRORF(r, "Failed to create a codec from %s\n", path);
+            continue;
+        }
+
+        auto info = codec->getInfo().makeColorType(kN32_SkColorType);
+        SkBitmap bm;
+        bm.allocPixels(info);
+
+        auto result = codec->getPixels(bm.info(), bm.getPixels(), bm.rowBytes());
+        if (result != SkCodec::kSuccess) {
+            ERRORF(r, "Failed to getPixels from %s. error %i", path, result);
+            continue;
+        }
+
+        // Rewind and do an incremental decode.
+        result = codec->startIncrementalDecode(bm.info(), bm.getPixels(), bm.rowBytes());
+        if (result != SkCodec::kSuccess) {
+            ERRORF(r, "Failed to startIncrementalDecode from %s. error %i", path, result);
+            continue;
+        }
+
+        result = codec->incrementalDecode();
+        if (result != SkCodec::kSuccess) {
+            ERRORF(r, "Failed to incrementalDecode from %s. error %i", path, result);
+        }
+    }
+}
-- 
cgit v1.2.3