Prevent overflows when using gamma_alloc_size

author gogil <gogil@stealien.com>

Sun, 14 Aug 2016 09:12:40 +0000 (02:12 -0700)

committer Commit bot <commit-bot@chromium.org>

Sun, 14 Aug 2016 09:12:40 +0000 (02:12 -0700)
author gogil <gogil@stealien.com>
Sun, 14 Aug 2016 09:12:40 +0000 (02:12 -0700)
committer Commit bot <commit-bot@chromium.org>
Sun, 14 Aug 2016 09:12:40 +0000 (02:12 -0700)
diff --git a/AUTHORS b/AUTHORS

index 35cf14c..a5e8965 100644 (file)
--- a/AUTHORS
+++ b/AUTHORS
@@ -16,6 +16,7 @@ Anthony Catel <paraboul@gmail.com>
  ARM <*@arm.com>
  Ehsan Akhgari <ehsan.akhgari@gmail.com>
  George Wright <george@mozilla.com>
+GiWan Go <gogil@stealien.com>
  Google Inc. <*@google.com>
  Herb Derby <herbderby@gmail.com>
  Igalia <*@igalia.com>
diff --git a/src/core/SkColorSpace_ICC.cpp b/src/core/SkColorSpace_ICC.cpp

old mode 100644 (file)

new mode 100755 (executable)

index f8ad47a..e28a746
--- a/src/core/SkColorSpace_ICC.cpp
+++ b/src/core/SkColorSpace_ICC.cpp
@@ -787,7 +787,9 @@ static bool load_a2b0(sk_sp<SkColorLookUpTable>* colorLUT, SkColorSpace::GammaNa
              if (SkGammas::Type::kNamed_Type == rType) {
                  *gammaNamed = rData.fNamed;
              } else {
-                size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(rType, rData);
+                size_t allocSize = sizeof(SkGammas);
+                return_if_false(safe_add(allocSize, gamma_alloc_size(rType, rData), &allocSize),
+                                "SkGammas struct is too large to allocate");
                  void* memory = sk_malloc_throw(allocSize);
                  *gammas = sk_sp<SkGammas>(new (memory) SkGammas());
                  load_gammas(memory, 0, rType, &rData, rParams, rTagPtr);
@@ -819,9 +821,13 @@ static bool load_a2b0(sk_sp<SkColorLookUpTable>* colorLUT, SkColorSpace::GammaNa
                                                         tagLen);
              handle_invalid_gamma(&bType, &bData);
  
-            size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(rType, rData)
-                                                + gamma_alloc_size(gType, gData)
-                                                + gamma_alloc_size(bType, bData);
+            size_t allocSize = sizeof(SkGammas);
+            return_if_false(safe_add(allocSize, gamma_alloc_size(rType, rData), &allocSize),
+                            "SkGammas struct is too large to allocate");
+            return_if_false(safe_add(allocSize, gamma_alloc_size(gType, gData), &allocSize),
+                            "SkGammas struct is too large to allocate");
+            return_if_false(safe_add(allocSize, gamma_alloc_size(bType, bData), &allocSize),
+                            "SkGammas struct is too large to allocate");
              void* memory = sk_malloc_throw(allocSize);
              *gammas = sk_sp<SkGammas>(new (memory) SkGammas());
  
@@ -970,7 +976,10 @@ sk_sp<SkColorSpace> SkColorSpace::NewICC(const void* input, size_t len) {
                          if (SkGammas::Type::kNamed_Type == type) {
                              gammaNamed = data.fNamed;
                          } else {
-                            size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(type, data);
+                            size_t allocSize = sizeof(SkGammas);
+                            if (!safe_add(allocSize, gamma_alloc_size(type, data), &allocSize)) {
+                                return_null("SkGammas struct is too large to allocate");
+                            }
                              void* memory = sk_malloc_throw(allocSize);
                              gammas = sk_sp<SkGammas>(new (memory) SkGammas());
                              load_gammas(memory, 0, type, &data, params, r->addr(base));
@@ -1002,9 +1011,13 @@ sk_sp<SkColorSpace> SkColorSpace::NewICC(const void* input, size_t len) {
                                  parse_gamma(&bData, &bParams, &tagBytes, b->addr(base), b->fLength);
                          handle_invalid_gamma(&bType, &bData);
  
-                        size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(rType, rData)
-                                                            + gamma_alloc_size(gType, gData)
-                                                            + gamma_alloc_size(bType, bData);
+                        size_t allocSize = sizeof(SkGammas);
+                        if (!safe_add(allocSize, gamma_alloc_size(rType, rData), &allocSize) ||
+                            !safe_add(allocSize, gamma_alloc_size(gType, gData), &allocSize) ||
+                            !safe_add(allocSize, gamma_alloc_size(bType, bData), &allocSize))
+                        {
+                            return_null("SkGammas struct is too large to allocate");
+                        }
                          void* memory = sk_malloc_throw(allocSize);
                          gammas = sk_sp<SkGammas>(new (memory) SkGammas());
author	gogil <gogil@stealien.com>
	Sun, 14 Aug 2016 09:12:40 +0000 (02:12 -0700)
committer	Commit bot <commit-bot@chromium.org>
	Sun, 14 Aug 2016 09:12:40 +0000 (02:12 -0700)
AUTHORS		patch \| blob \| history
src/core/SkColorSpace_ICC.cpp	[changed mode: 0644->0755]	patch \| blob \| history