Fixing another clusterfuzz issue

This was introduced by removing SkValidatingReadBuffer::readBitmap in https://codereview.chromium.org/295793002/

Since SkReadBuffer::skip wasn't virtual, it was using the unsafe SkReadBuffer::skip within SkReadBuffer::readBitmap rather than using SkValidatingReadBuffer::skip. I also removed direct uses of fReader within SkReadBuffer::readBitmap so that it can use the virtual readInt / readFixed functions that have a version in SkValidatingReadBuffer.

Also, I changed SkReadBuffer::readPoint so that it uses the virtual readScalar, that way, it becomes redundant with SkValidatingReadBuffer::readPoint, which can then be removed.

BUG=380723
R=reed@google.com, mtklein@google.com, sugoi@google.com

Author: sugoi@chromium.org

Review URL: https://codereview.chromium.org/317003003

diff --git a/include/core/SkReadBuffer.h b/include/core/SkReadBuffer.h
index 5364bee..b792be3 100644 (file)
--- a/include/core/SkReadBuffer.h
+++ b/include/core/SkReadBuffer.h
@@ -84,7 +84,7 @@ public:
     size_t size() { return fReader.size(); }
     size_t offset() { return fReader.offset(); }
     bool eof() { return fReader.eof(); }
-    const void* skip(size_t size) { return fReader.skip(size); }
+    virtual const void* skip(size_t size) { return fReader.skip(size); }
     void* readFunctionPtr() { return fReader.readPtr(); }
 
     // primitives

diff --git a/src/core/SkReadBuffer.cpp b/src/core/SkReadBuffer.cpp
index a3ae8ae..cacf989 100644 (file)
--- a/src/core/SkReadBuffer.cpp
+++ b/src/core/SkReadBuffer.cpp
@@ -199,8 +199,8 @@ bool SkReadBuffer::readBitmap(SkBitmap* bitmap) {
     if (this->readBool()) {
         // An SkBitmapHeap was used for writing. Read the index from the stream and find the
         // corresponding SkBitmap in fBitmapStorage.
-        const uint32_t index = fReader.readU32();
-        fReader.readU32(); // bitmap generation ID (see SkWriteBuffer::writeBitmap)
+        const uint32_t index = this->readUInt();
+        this->readUInt(); // bitmap generation ID (see SkWriteBuffer::writeBitmap)
         if (fBitmapStorage) {
             *bitmap = *fBitmapStorage->getBitmap(index);
             fBitmapStorage->releaseRef(index);
@@ -223,8 +223,8 @@ bool SkReadBuffer::readBitmap(SkBitmap* bitmap) {
             // A non-zero size means the SkBitmap was encoded. Read the data and pixel
             // offset.
             const void* data = this->skip(length);
-            const int32_t xOffset = fReader.readS32();
-            const int32_t yOffset = fReader.readS32();
+            const int32_t xOffset = this->readInt();
+            const int32_t yOffset = this->readInt();
             if (fBitmapDecoder != NULL && fBitmapDecoder(data, length, bitmap)) {
                 if (bitmap->width() == width && bitmap->height() == height) {
 #ifdef DEBUG_NON_DETERMINISTIC_ASSERT

diff --git a/src/core/SkValidatingReadBuffer.h b/src/core/SkValidatingReadBuffer.h
index 0a9e253..5cf3abe 100644 (file)
--- a/src/core/SkValidatingReadBuffer.h
+++ b/src/core/SkValidatingReadBuffer.h
@@ -23,7 +23,7 @@ public:
     SkValidatingReadBuffer(const void* data, size_t size);
     virtual ~SkValidatingReadBuffer();
 
-    const void* skip(size_t size);
+    virtual const void* skip(size_t size) SK_OVERRIDE;
 
     // primitives
     virtual bool readBool() SK_OVERRIDE;