This fixes deserialization bugs found by fuzzing SkPaintImageFilter.
BUG=576908,576910
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=
1589533002
Review URL: https://codereview.chromium.org/
1589533002
}
bool SkRBufferWithSizeCheck::read(void* buffer, size_t size) {
- fError = fError || (fPos + size > fStop);
+ fError = fError || (size > static_cast<size_t>(fStop - fPos));
if (!fError && (size > 0)) {
readNoSizeCheck(buffer, size);
}
void SkPaint::unflatten(SkReadBuffer& buffer) {
SkASSERT(SkAlign4(kPODPaintSize) == kPODPaintSize);
+ if (!buffer.validateAvailable(kPODPaintSize)) {
+ return;
+ }
const void* podData = buffer.skip(kPODPaintSize);
const uint32_t* pod = reinterpret_cast<const uint32_t*>(podData);
uint8_t dir = (packed >> kDirection_SerializationShift) & 0x3;
fIsVolatile = (packed >> kIsVolatile_SerializationShift) & 0x1;
SkPathRef* pathRef = SkPathRef::CreateFromBuffer(&buffer);
+ if (!pathRef) {
+ return 0;
+ }
+
+ fPathRef.reset(pathRef);
+ SkDEBUGCODE(this->validate();)
+ buffer.skipToAlign4();
// compatibility check
if (version < kPathPrivFirstDirection_Version) {
fFirstDirection = dir;
}
- size_t sizeRead = 0;
- if (buffer.isValid()) {
- fPathRef.reset(pathRef);
- SkDEBUGCODE(this->validate();)
- buffer.skipToAlign4();
- sizeRead = buffer.pos();
- } else if (pathRef) {
- // If the buffer is not valid, pathRef should be nullptr
- sk_throw();
- }
- return sizeRead;
+ return buffer.pos();
}
///////////////////////////////////////////////////////////////////////////////
int32_t verbCount, pointCount, conicCount;
if (!buffer->readU32(&(ref->fGenerationID)) ||
!buffer->readS32(&verbCount) ||
+ verbCount < 0 ||
!buffer->readS32(&pointCount) ||
- !buffer->readS32(&conicCount)) {
+ pointCount < 0 ||
+ !buffer->readS32(&conicCount) ||
+ conicCount < 0) {
delete ref;
return nullptr;
}