Fix bmp RLE "bug" and add invalid image test to CodexTest

src/codec/SkBmpRLECodec.cpp

 /*
  * Copyright 2015 Google Inc.
  *
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include "SkBmpRLECodec.h"
 #include "SkCodecPriv.h"
 #include "SkColorPriv.h"
@@ skipping 165 matching lines @@
         SkCodecPrintf("Warning: incomplete RLE file.\n");
     }
     if (fRLEBytes == 0) {
         SkCodecPrintf("Error: could not read RLE image data.\n");
         return false;
     }
     return true;
 }
 
 /*
+ * Before signalling kIncompleteInput, we should attempt to load the
+ * stream buffer with additional data.
+ *
+ * @return the number of bytes remaining in the stream buffer after
+ *         attempting to read more bytes from the stream
+ */
+size_t SkBmpRLECodec::checkForMoreData() {
+    const size_t remainingBytes = fRLEBytes - fCurrRLEByte;
+    uint8_t* buffer = fStreamBuffer.get();
+
+    // We will be reusing the same buffer, starting over from the beginning.
+    // Move any remaining bytes to the start of the buffer.
+    // We use memmove() instead of memcpy() because there is risk that the dst
+    // and src memory will overlap in corrupt images.
+    memmove(buffer, SkTAddOffset<uint8_t>(buffer, fCurrRLEByte), remainingBytes);
+
+    // Adjust the buffer ptr to the start of the unfilled data.
+    buffer += remainingBytes;
+
+    // Try to read additional bytes from the stream.  There are fCurrRLEByte
+    // bytes of additional space remaining in the buffer, assuming that we
+    // have already copied remainingBytes to the start of the buffer.
+    size_t additionalBytes = this->stream()->read(buffer, fCurrRLEByte);
+
+    // Update counters and return the number of bytes we currently have
+    // available.  We are at the start of the buffer again.
+    fCurrRLEByte = 0;
+    // If we were unable to fill the buffer, fRLEBytes is no longer equal to
+    // the size of the buffer.  There will be unused space at the end.  This
+    // should be fine, given that there are no more bytes in the stream.
+    fRLEBytes = remainingBytes + additionalBytes;
+    return fRLEBytes;
+}
+
+/*
  * Set an RLE pixel using the color table
  */
 void SkBmpRLECodec::setPixel(void* dst, size_t dstRowBytes,
                              const SkImageInfo& dstInfo, uint32_t x, uint32_t y,
                              uint8_t index) {
     // Set the row
     int height = dstInfo.height();
     int row;
     if (SkBmpCodec::kBottomUp_RowOrder == this->rowOrder()) {
         row = height - y - 1;
@@ skipping 84 matching lines @@
         // succeeded.
         if (y >= height) {
             // It would be better to check for the EOF marker before returning
             // success, but we may be performing a scanline decode, which
             // may require us to stop before decoding the full height.
             return kSuccess;
         }
 
         // Every entry takes at least two bytes
         if ((int) fRLEBytes - fCurrRLEByte < 2) {
-            SkCodecPrintf("Warning: incomplete RLE input.\n");
-            return kIncompleteInput;
+            SkCodecPrintf("Warning: might be incomplete RLE input.\n");
+            if (this->checkForMoreData() < 2) {
+                return kIncompleteInput;
+            }
         }
 
         // Read the next two bytes.  These bytes have different meanings
         // depending on their values.  In the first interpretation, the first
         // byte is an escape flag and the second byte indicates what special
         // task to perform.
         const uint8_t flag = fStreamBuffer.get()[fCurrRLEByte++];
         const uint8_t task = fStreamBuffer.get()[fCurrRLEByte++];
 
         // Perform decoding
         if (RLE_ESCAPE == flag) {
             switch (task) {
                 case RLE_EOL:
                     x = 0;
                     y++;
                     break;
                 case RLE_EOF:
                     return kSuccess;
                 case RLE_DELTA: {
                     // Two bytes are needed to specify delta
                     if ((int) fRLEBytes - fCurrRLEByte < 2) {
-                        SkCodecPrintf("Warning: incomplete RLE input\n");
-                        return kIncompleteInput;
+                        SkCodecPrintf("Warning: might be incomplete RLE input.\n");
+                        if (this->checkForMoreData() < 2) {
+                            return kIncompleteInput;
+                        }
                     }
                     // Modify x and y
                     const uint8_t dx = fStreamBuffer.get()[fCurrRLEByte++];
                     const uint8_t dy = fStreamBuffer.get()[fCurrRLEByte++];
                     x += dx;
                     y += dy;
                     if (x > width || y > height) {
-                        SkCodecPrintf("Warning: invalid RLE input 1.\n");
-                        return kIncompleteInput;
+                        SkCodecPrintf("Warning: invalid RLE input.\n");
+                        return kInvalidInput;
                     }
                     break;
                 }
                 default: {
                     // If task does not match any of the above signals, it
                     // indicates that we have a sequence of non-RLE pixels.
                     // Furthermore, the value of task is equal to the number
                     // of pixels to interpret.
                     uint8_t numPixels = task;
                     const size_t rowBytes = compute_row_bytes(numPixels,
                             this->bitsPerPixel());
                     // Abort if setting numPixels moves us off the edge of the
-                    // image.  Also abort if there are not enough bytes
+                    // image.
+                    if (x + numPixels > width) {
+                        SkCodecPrintf("Warning: invalid RLE input.\n");
+                        return kInvalidInput;
+                    }
+                    // Also abort if there are not enough bytes
                     // remaining in the stream to set numPixels.
-                    if (x + numPixels > width ||
-                            (int) fRLEBytes - fCurrRLEByte < SkAlign2(rowBytes)) {
-                        SkCodecPrintf("Warning: invalid RLE input 2.\n");
-                        return kIncompleteInput;
+                    if ((int) fRLEBytes - fCurrRLEByte < SkAlign2(rowBytes)) {
+                        SkCodecPrintf("Warning: might be incomplete RLE input.\n");
+                        if (this->checkForMoreData() < SkAlign2(rowBytes)) {
+                            return kIncompleteInput;
+                        }
                     }
                     // Set numPixels number of pixels
                     while (numPixels > 0) {
                         switch(this->bitsPerPixel()) {
                             case 4: {
                                 SkASSERT(fCurrRLEByte < fRLEBytes);
                                 uint8_t val = fStreamBuffer.get()[fCurrRLEByte++];
                                 setPixel(dst, dstRowBytes, dstInfo, x++,
                                         y, val >> 4);
                                 numPixels--;
@@ skipping 35 matching lines @@
             // If the first byte read is not a flag, it indicates the number of
             // pixels to set in RLE mode.
             const uint8_t numPixels = flag;
             const int endX = SkTMin<int>(x + numPixels, width);
 
             if (24 == this->bitsPerPixel()) {
                 // In RLE24, the second byte read is part of the pixel color.
                 // There are two more required bytes to finish encoding the
                 // color.
                 if ((int) fRLEBytes - fCurrRLEByte < 2) {
-                    SkCodecPrintf("Warning: incomplete RLE input\n");
-                    return kIncompleteInput;
+                    SkCodecPrintf("Warning: might be incomplete RLE input.\n");
+                    if (this->checkForMoreData() < 2) {
+                        return kIncompleteInput;
+                    }
                 }
 
                 // Fill the pixels up to endX with the specified color
                 uint8_t blue = task;
                 uint8_t green = fStreamBuffer.get()[fCurrRLEByte++];
                 uint8_t red = fStreamBuffer.get()[fCurrRLEByte++];
                 while (x < endX) {
                     setRGBPixel(dst, dstRowBytes, dstInfo, x++, y, red,
                             green, blue);
                 }
@@ skipping 12 matching lines @@
                 // Set the indicated number of pixels
                 for (int which = 0; x < endX; x++) {
                     setPixel(dst, dstRowBytes, dstInfo, x, y,
                             indices[which]);
                     which = !which;
                 }
             }
         }
     }
 }