From: Matt Sarett <msarett@google.com>
Date: Fri, 13 Jan 2017 18:58:57 +0000 (-0500)
Subject: Fix out of bounds read in RP::load_tables_u16_be()
X-Git-Tag: accepted/tizen/5.0/unified/20181102.025319~55^2~834
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=c55bc9a8dd6e48a8b16f191d078022298737941a;p=platform%2Fupstream%2FlibSkiaSharp.git

Fix out of bounds read in RP::load_tables_u16_be()

BUG=skia:

CQ_INCLUDE_TRYBOTS=skia.primary:Test-Ubuntu-GCC-GCE-CPU-AVX2-x86_64-Release-SKNX_NO_SIMD

Change-Id: I4f6dd002b03812d63bf62342c346ea21f6865466
Reviewed-on: https://skia-review.googlesource.com/7027
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Matt Sarett <msarett@google.com>
---

diff --git a/src/opts/SkRasterPipeline_opts.h b/src/opts/SkRasterPipeline_opts.h
index 41a10b9..71a15c6 100644
--- a/src/opts/SkRasterPipeline_opts.h
+++ b/src/opts/SkRasterPipeline_opts.h
@@ -604,9 +604,15 @@ STAGE_CTX(load_tables, const LoadTablesContext*) {
 
 STAGE_CTX(load_tables_u16_be, const LoadTablesContext*) {
     auto ptr = (const uint64_t*)ctx->fSrc + x;
+    const void* src = ptr;
+    SkNx<N, uint64_t> px;
+    if (tail) {
+        px = load(tail, ptr);
+        src = &px;
+    }
 
     SkNh rh, gh, bh, ah;
-    SkNh::Load4(ptr, &rh, &gh, &bh, &ah);
+    SkNh::Load4(src, &rh, &gh, &bh, &ah);
 
     // ctx->fSrc is big-endian, so "& 0xff" grabs the 8 most significant bits of each component.
     r = gather(tail, ctx->fR, SkNx_cast<int>(rh & 0xff));
diff --git a/tests/ColorSpaceXformTest.cpp b/tests/ColorSpaceXformTest.cpp
index 03a9263..a72cbbf 100644
--- a/tests/ColorSpaceXformTest.cpp
+++ b/tests/ColorSpaceXformTest.cpp
@@ -322,3 +322,18 @@ DEF_TEST(ColorSpaceXform_A2BCLUT, r) {
     }
 }
 
+DEF_TEST(SkColorSpaceXform_LoadTail, r) {
+    uint64_t* srcPixel = new uint64_t[1];
+    srcPixel[0] = 0;
+    uint32_t dstPixel;
+    sk_sp<SkColorSpace> adobe = SkColorSpace::MakeNamed(SkColorSpace::kAdobeRGB_Named);
+    sk_sp<SkColorSpace> srgb = SkColorSpace::MakeNamed(SkColorSpace::kSRGB_Named);
+    std::unique_ptr<SkColorSpaceXform> xform = SkColorSpaceXform::New(adobe.get(), srgb.get());
+
+    // ASAN will catch us if we read past the tail.
+    bool success = xform->apply(SkColorSpaceXform::kRGBA_8888_ColorFormat, &dstPixel,
+                                SkColorSpaceXform::kRGBA_U16_BE_ColorFormat, srcPixel, 1,
+                                kUnpremul_SkAlphaType);
+    REPORTER_ASSERT(r, success);
+}
+