Handle bad ICO data better.

Interpret size and offset as size_t, as they should be. When read
as int, they could be negative values. If they are negative (rather
than positive and very large), they will not allow us to fail the
length test, resulting in trying to read uninitialized memory.

BUG=b/16010240
R=halcanary@google.com

Author: scroggo@google.com

Review URL: https://codereview.chromium.org/374413005

diff --git a/src/images/SkImageDecoder_libico.cpp b/src/images/SkImageDecoder_libico.cpp
index d415d2b..90058d6 100644 (file)
--- a/src/images/SkImageDecoder_libico.cpp
+++ b/src/images/SkImageDecoder_libico.cpp
@@ -152,10 +152,11 @@ bool SkICOImageDecoder::onDecode(SkStream* stream, SkBitmap* bm, Mode mode)
     //int reservedToo = readByte(buf, 9 + choice*16);   //0
     //int planes = read2Bytes(buf, 10 + choice*16);       //1 - but often 0
     //int fakeBitCount = read2Bytes(buf, 12 + choice*16); //should be real - usually 0
-    int size = read4Bytes(buf, 14 + choice*16);           //matters?
-    int offset = read4Bytes(buf, 18 + choice*16);
-    if ((size_t)(offset + size) > length)
+    const size_t size = read4Bytes(buf, 14 + choice*16);           //matters?
+    const size_t offset = read4Bytes(buf, 18 + choice*16);
+    if ((offset + size) > length) {
         return false;
+    }
 
     // Check to see if this is a PNG image inside the ICO
     {