src/core/SkPath.cpp - Issue 1589533002: Fix fuzzer-found deserialization bugs

Side by Side Diff: src/core/SkPath.cpp

Issue 1589533002: Fix fuzzer-found deserialization bugs (Closed) Base URL: https://chromium.googlesource.com/skia.git@master

Patch Set: Also prevent overflow in SkBufferWithSizeCheck::read Created 4 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 * Copyright 2006 The Android Open Source Project	2 * Copyright 2006 The Android Open Source Project

3 *	3 *

4 * Use of this source code is governed by a BSD-style license that can be	4 * Use of this source code is governed by a BSD-style license that can be

5 * found in the LICENSE file.	5 * found in the LICENSE file.

6 */	6 */

7	7

8 #include "SkBuffer.h"	8 #include "SkBuffer.h"

9 #include "SkCubicClipper.h"	9 #include "SkCubicClipper.h"

10 #include "SkErrorInternals.h"	10 #include "SkErrorInternals.h"

(...skipping 1889 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1900 int32_t packed;	1900 int32_t packed;

1901 if (!buffer.readS32(&packed)) {	1901 if (!buffer.readS32(&packed)) {

1902 return 0;	1902 return 0;

1903 }	1903 }

1904	1904

1905 unsigned version = packed & 0xFF;	1905 unsigned version = packed & 0xFF;

1906	1906

1907 fConvexity = (packed >> kConvexity_SerializationShift) & 0xFF;	1907 fConvexity = (packed >> kConvexity_SerializationShift) & 0xFF;

1908 fFillType = (packed >> kFillType_SerializationShift) & 0xFF;	1908 fFillType = (packed >> kFillType_SerializationShift) & 0xFF;

1909 uint8_t dir = (packed >> kDirection_SerializationShift) & 0x3;	1909 uint8_t dir = (packed >> kDirection_SerializationShift) & 0x3;

1910 fIsVolatile = (packed >> kIsVolatile_SerializationShift) & 0x1;	1910 fIsVolatile = (packed >> kIsVolatile_SerializationShift) & 0x1;
	reed1 2016/01/13 19:20:05 unrelated: this seems wacky -- storing/restoring t unrelated: this seems wacky -- storing/restoring the volatile bit
1911 SkPathRef* pathRef = SkPathRef::CreateFromBuffer(&buffer);	1911 SkPathRef* pathRef = SkPathRef::CreateFromBuffer(&buffer);

1912	1912

1913 // compatibility check	1913 // compatibility check

1914 if (version < kPathPrivFirstDirection_Version) {	1914 if (version < kPathPrivFirstDirection_Version) {

1915 switch (dir) { // old values	1915 switch (dir) { // old values

1916 case 0:	1916 case 0:

1917 fFirstDirection = SkPathPriv::kUnknown_FirstDirection;	1917 fFirstDirection = SkPathPriv::kUnknown_FirstDirection;

1918 break;	1918 break;

1919 case 1:	1919 case 1:

1920 fFirstDirection = SkPathPriv::kCW_FirstDirection;	1920 fFirstDirection = SkPathPriv::kCW_FirstDirection;

1921 break;	1921 break;

1922 case 2:	1922 case 2:

1923 fFirstDirection = SkPathPriv::kCCW_FirstDirection;	1923 fFirstDirection = SkPathPriv::kCCW_FirstDirection;

1924 break;	1924 break;

1925 default:	1925 default:

1926 SkASSERT(false);	1926 SkASSERT(false);

1927 }	1927 }

1928 } else {	1928 } else {

1929 fFirstDirection = dir;	1929 fFirstDirection = dir;

1930 }	1930 }

1931	1931

1932 size_t sizeRead = 0;	1932 size_t sizeRead = 0;

1933 if (buffer.isValid()) {	1933 if (buffer.isValid() && pathRef) {
	reed1 2016/01/13 19:20:05 I think this if/else-if is getting more confusing. I think this if/else-if is getting more confusing. I posit that the following is correct, and perhaps clearer. (I think this should go on line 1912) if (!pathRef) { SkASSERT(!buffer.isValid()); return 0; } Then we shouldn't need to check again. ajuma 2016/01/13 20:08:15 Moved the check. The suggested SkASSERT doesn't ho Show quoted text On 2016/01/13 19:20:05, reed1 wrote: > I think this if/else-if is getting more confusing. I posit that the following is > correct, and perhaps clearer. > > (I think this should go on line 1912) > > if (!pathRef) { > SkASSERT(!buffer.isValid()); > return 0; > } > > Then we shouldn't need to check again. Moved the check. The suggested SkASSERT doesn't hold though; for example, SkPathRef::CreateFromBuffer can fail because one of the counts read from the buffer is negative (see the changes in SkPathRef.cpp) without the buffer itself becoming invalid.
1934 fPathRef.reset(pathRef);	1934 fPathRef.reset(pathRef);

1935 SkDEBUGCODE(this->validate();)	1935 SkDEBUGCODE(this->validate();)

1936 buffer.skipToAlign4();	1936 buffer.skipToAlign4();

1937 sizeRead = buffer.pos();	1937 sizeRead = buffer.pos();

1938 } else if (pathRef) {	1938 } else if (pathRef) {

1939 // If the buffer is not valid, pathRef should be nullptr	1939 // If the buffer is not valid, pathRef should be nullptr

1940 sk_throw();	1940 sk_throw();

1941 }	1941 }

1942 return sizeRead;	1942 return sizeRead;

1943 }	1943 }

(...skipping 1143 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3087 }	3087 }

3088 } while (!done);	3088 } while (!done);

3089 return SkToBool(tangents.count()) ^ isInverse;	3089 return SkToBool(tangents.count()) ^ isInverse;

3090 }	3090 }

3091	3091

3092 int SkPath::ConvertConicToQuads(const SkPoint& p0, const SkPoint& p1, const SkPo int& p2,	3092 int SkPath::ConvertConicToQuads(const SkPoint& p0, const SkPoint& p1, const SkPo int& p2,

3093 SkScalar w, SkPoint pts[], int pow2) {	3093 SkScalar w, SkPoint pts[], int pow2) {

3094 const SkConic conic(p0, p1, p2, w);	3094 const SkConic conic(p0, p1, p2, w);

3095 return conic.chopIntoQuadsPOW2(pts, pow2);	3095 return conic.chopIntoQuadsPOW2(pts, pow2);

3096 }	3096 }

OLD	NEW

« no previous file with comments | « src/core/SkPaint.cpp ('k') | src/core/SkPathRef.cpp » ('j') | no next file with comments »