src/core/SkPictureShader.cpp - Issue 1151663002: Don't serialize SkPictures in SkPictureShaders when in untrusted mode.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/core/SkPictureShader.cpp

Issue 1151663002: Don't serialize SkPictures in SkPictureShaders when in untrusted mode. (Closed) Base URL: https://skia.googlesource.com/skia@master

Patch Set: tweak Created 5 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/core/SkPictureShader.cpp

diff --git a/src/core/SkPictureShader.cpp b/src/core/SkPictureShader.cpp

index cb508d476b952a7487c320086e220092c3f60f4d..501d5153f524d136762bb6eaef172aa7cfeb663c 100644

--- a/src/core/SkPictureShader.cpp

+++ b/src/core/SkPictureShader.cpp

@@ -122,6 +122,8 @@ SkShader* SkPictureShader::Create(const SkPicture* picture, TileMode tmx, TileMo

return SkNEW_ARGS(SkPictureShader, (picture, tmx, tmy, localMatrix, tile));

}

+// TODO: rename SK_DISALLOW_CROSSPROCESS_PICTUREIMAGEFILTERS to SK_DISALLOW_CROSSPROCESS_PICTURES

SkFlattenable* SkPictureShader::CreateProc(SkReadBuffer& buffer) {

SkMatrix lm;

buffer.readMatrix(&lm);

@@ -129,7 +131,27 @@ SkFlattenable* SkPictureShader::CreateProc(SkReadBuffer& buffer) {

TileMode my = (TileMode)buffer.read32();

SkRect tile;

buffer.readRect(&tile);

- SkAutoTUnref<SkPicture> picture(SkPicture::CreateFromBuffer(buffer));

+ SkAutoTUnref<SkPicture> picture;

+#ifdef SK_DISALLOW_CROSSPROCESS_PICTUREIMAGEFILTERS

+ if (buffer.isCrossProcess()) {

+ if (buffer.isVersionLT(SkReadBuffer::kPictureShaderHasPictureBool_Version)) {

+ // Older code blindly serialized pictures. We don't trust them.

+ buffer.validate(false);

+ return NULL;

+ }

+ // Newer code won't serialize pictures in disallow-cross-process-picture mode.

+ // Assert that they didn't serialize anything except a false here.

+ buffer.validate(!buffer.readBool());

+ } else

+#endif

+ {

+ // Old code always serialized the picture. New code writes a 'true' first if it did.

+ if (buffer.isVersionLT(SkReadBuffer::kPictureShaderHasPictureBool_Version) ||

+ buffer.readBool()) {

+ picture.reset(SkPicture::CreateFromBuffer(buffer));

+ }

return SkPictureShader::Create(picture, mx, my, &lm, &tile);

}

@@ -138,7 +160,18 @@ void SkPictureShader::flatten(SkWriteBuffer& buffer) const {

buffer.write32(fTmx);

buffer.write32(fTmy);

buffer.writeRect(fTile);

- fPicture->flatten(buffer);

+#ifdef SK_DISALLOW_CROSSPROCESS_PICTUREIMAGEFILTERS

+ // The deserialization code won't trust that our serialized picture is safe to deserialize.

+ // So write a 'false' telling it that we're not serializing a picture.

+ if (buffer.isCrossProcess()) {

+ buffer.writeBool(false);

+ } else

+#endif

+ {

+ buffer.writeBool(true);

+ fPicture->flatten(buffer);

+ }

}

SkShader* SkPictureShader::refBitmapShader(const SkMatrix& matrix, const SkMatrix* localM,

« no previous file with comments | « include/core/SkPicture.h ('k') | src/core/SkReadBuffer.h » ('j') | no next file with comments »