Address two fuzzer bugs:

SkImageInfos that were made invalid weren't being caught
Messing with the size of a SAVE record wasn't being caught

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2104973003

Review-Url: https://codereview.chromium.org/2104973003

diff --git a/src/core/SkBitmap.cpp b/src/core/SkBitmap.cpp
index 8cb8e4d6fc9f530c290c8fc86477572a6406e592..863169c458b8d76642d3aae13e923c68cb90ede3 100644 (file)
--- a/src/core/SkBitmap.cpp
+++ b/src/core/SkBitmap.cpp
@@ -1145,8 +1145,10 @@ bool SkBitmap::ReadRawPixels(SkReadBuffer* buffer, SkBitmap* bitmap) {
     SkImageInfo info;
     info.unflatten(*buffer);
 
-    // If there was an error reading "info", don't use it to compute minRowBytes()
-    if (!buffer->validate(true)) {
+    // If there was an error reading "info" or if it is bogus, 
+    // don't use it to compute minRowBytes()
+    if (!buffer->validate(SkColorTypeValidateAlphaType(info.colorType(),
+                                                       info.alphaType()))) {
         return false;
     }
 

diff --git a/src/core/SkPicturePlayback.cpp b/src/core/SkPicturePlayback.cpp
index 36d385c0954a1068eda4c6d66fa0cb051dbe5997..3cbcdbbd2f3f55cf1da6dd23a187d1df36ab9071 100644 (file)
--- a/src/core/SkPicturePlayback.cpp
+++ b/src/core/SkPicturePlayback.cpp
@@ -543,8 +543,9 @@ void SkPicturePlayback::handleOp(SkReadBuffer* reader,
         case SAVE:
             // SKPs with version < 29 also store a SaveFlags param.
             if (size > 4) {
-                SkASSERT(8 == size);
-                reader->readInt();
+                if (reader->validate(8 == size)) {
+                    reader->readInt();
+                }
             }
             canvas->save();
             break;