projects / platform / upstream / libSkiaSharp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6a4c239)
Fix out of bounds read in SkColorSpace::MakeICC
authorMatt Sarett <msarett@google.com>
Tue, 18 Apr 2017 15:08:29 +0000 (11:08 -0400)
committerMatt Sarett <msarett@google.com>
Fri, 21 Apr 2017 21:08:47 +0000 (21:08 +0000)
Bug: 711895
Change-Id: I8574289bda842cf1be3fb5bcf347a81b98fdc6b0
Reviewed-on: https://skia-review.googlesource.com/13690
Commit-Queue: Matt Sarett <msarett@google.com>
Reviewed-by: Mike Klein <mtklein@chromium.org>
(cherry picked from commit 6e834799946537370e6f3c10aa2745ed969b2a27)
Reviewed-on: https://skia-review.googlesource.com/14103
Reviewed-by: Matt Sarett <msarett@google.com>
src/core/SkColorSpace_ICC.cpp patch | blob | history

diff --git a/src/core/SkColorSpace_ICC.cpp b/src/core/SkColorSpace_ICC.cpp
index 9c2082a..6d4bba2 100644 (file)
--- a/src/core/SkColorSpace_ICC.cpp
+++ b/src/core/SkColorSpace_ICC.cpp
@@ -1185,7 +1185,11 @@ static inline int icf_channels(SkColorSpace_Base::ICCTypeFlag iccType) {
 static bool load_a2b0(std::vector<SkColorSpace_A2B::Element>* elements, const uint8_t* src,
                       size_t len, SkColorSpace_A2B::PCS pcs,
                       SkColorSpace_Base::ICCTypeFlag iccType) {
+    if (len < 4) {
+        return false;
+    }
     const uint32_t type = read_big_endian_u32(src);
+
     switch (type) {
         case kTAG_AtoBType:
             if (len < 32) {
Domain: Dotnet / API;