Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(126)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/core/SkMallocPixelRef.cpp

Issue 116773002: Fixed more fuzzer issues (Closed) Base URL: https://skia.googlesource.com/skia.git@master
Patch Set: Changed isAvailable for validateAvailable Created 7 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« src/core/SkColorTable.cpp ('K') | « src/core/SkImageInfo.cpp ('k') | src/core/SkValidatingReadBuffer.h » ('j') | src/effects/SkDisplacementMapEffect.cpp » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/core/SkMallocPixelRef.cpp
diff --git a/src/core/SkMallocPixelRef.cpp b/src/core/SkMallocPixelRef.cpp
index 9f9ffd8db7401994ad203caf51a1f080795738be..b65197fac852ae7e5dceb3bf4ed4764dc92cd087 100644
--- a/src/core/SkMallocPixelRef.cpp
+++ b/src/core/SkMallocPixelRef.cpp
@@ -143,8 +143,13 @@ SkMallocPixelRef::SkMallocPixelRef(SkFlattenableReadBuffer& buffer)
{
fRB = buffer.read32();
size_t size = this->info().getSafeSize(fRB);
- fStorage = sk_malloc_throw(size);
- buffer.readByteArray(fStorage, size);
+ if (buffer.validateAvailable(size)) {
+ fStorage = sk_malloc_throw(size);
+ buffer.readByteArray(fStorage, size);
+ } else {
+ fStorage = NULL;
+ }
+
if (buffer.readBool()) {
fCTable = SkNEW_ARGS(SkColorTable, (buffer));
} else {
« src/core/SkColorTable.cpp ('K') | « src/core/SkImageInfo.cpp ('k') | src/core/SkValidatingReadBuffer.h » ('j') | src/effects/SkDisplacementMapEffect.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698