From: scroggo Date: Wed, 9 Jul 2014 22:04:20 +0000 (-0700) Subject: Handle bad ICO data better. X-Git-Tag: accepted/tizen/5.0/unified/20181102.025319~6842 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=57ad493789cb1a97574390b5ccf4fb9183ed3814;p=platform%2Fupstream%2FlibSkiaSharp.git Handle bad ICO data better. Interpret size and offset as size_t, as they should be. When read as int, they could be negative values. If they are negative (rather than positive and very large), they will not allow us to fail the length test, resulting in trying to read uninitialized memory. BUG=b/16010240 R=halcanary@google.com Author: scroggo@google.com Review URL: https://codereview.chromium.org/374413005 --- diff --git a/src/images/SkImageDecoder_libico.cpp b/src/images/SkImageDecoder_libico.cpp index d415d2b..90058d6 100644 --- a/src/images/SkImageDecoder_libico.cpp +++ b/src/images/SkImageDecoder_libico.cpp @@ -152,10 +152,11 @@ bool SkICOImageDecoder::onDecode(SkStream* stream, SkBitmap* bm, Mode mode) //int reservedToo = readByte(buf, 9 + choice*16); //0 //int planes = read2Bytes(buf, 10 + choice*16); //1 - but often 0 //int fakeBitCount = read2Bytes(buf, 12 + choice*16); //should be real - usually 0 - int size = read4Bytes(buf, 14 + choice*16); //matters? - int offset = read4Bytes(buf, 18 + choice*16); - if ((size_t)(offset + size) > length) + const size_t size = read4Bytes(buf, 14 + choice*16); //matters? + const size_t offset = read4Bytes(buf, 18 + choice*16); + if ((offset + size) > length) { return false; + } // Check to see if this is a PNG image inside the ICO {