Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(6)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/core/SkReadBuffer.cpp

Issue 1615883002: detect bad/corrupt flattenable factory indices (Closed) Base URL: https://skia.googlesource.com/skia.git@master
Patch Set: Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 1
2 /* 2 /*
3 * Copyright 2012 Google Inc. 3 * Copyright 2012 Google Inc.
4 * 4 *
5 * Use of this source code is governed by a BSD-style license that can be 5 * Use of this source code is governed by a BSD-style license that can be
6 * found in the LICENSE file. 6 * found in the LICENSE file.
7 */ 7 */
8 8
9 #include "SkBitmap.h" 9 #include "SkBitmap.h"
10 #include "SkErrorInternals.h" 10 #include "SkErrorInternals.h"
(...skipping 322 matching lines...) Expand 10 before | Expand all | Expand 10 after
333 // 333 //
334 334
335 SkFlattenable::Factory factory = nullptr; 335 SkFlattenable::Factory factory = nullptr;
336 336
337 if (fFactoryCount > 0) { 337 if (fFactoryCount > 0) {
338 int32_t index = fReader.readU32(); 338 int32_t index = fReader.readU32();
339 if (0 == index) { 339 if (0 == index) {
340 return nullptr; // writer failed to give us the flattenable 340 return nullptr; // writer failed to give us the flattenable
341 } 341 }
342 index -= 1; // we stored the index-base-1 342 index -= 1; // we stored the index-base-1
343 SkASSERT(index < fFactoryCount); 343 if ((unsigned)index >= (unsigned)fFactoryCount) {
344 this->validate(false);
345 return nullptr;
346 }
344 factory = fFactoryArray[index]; 347 factory = fFactoryArray[index];
345 } else if (fFactoryTDArray) { 348 } else if (fFactoryTDArray) {
346 int32_t index = fReader.readU32(); 349 int32_t index = fReader.readU32();
347 if (0 == index) { 350 if (0 == index) {
348 return nullptr; // writer failed to give us the flattenable 351 return nullptr; // writer failed to give us the flattenable
349 } 352 }
350 index -= 1; // we stored the index-base-1 353 index -= 1; // we stored the index-base-1
354 if ((unsigned)index >= (unsigned)fFactoryCount) {
355 this->validate(false);
356 return nullptr;
357 }
351 factory = (*fFactoryTDArray)[index]; 358 factory = (*fFactoryTDArray)[index];
352 } else { 359 } else {
353 factory = (SkFlattenable::Factory)readFunctionPtr(); 360 factory = (SkFlattenable::Factory)readFunctionPtr();
354 if (nullptr == factory) { 361 if (nullptr == factory) {
355 return nullptr; // writer failed to give us the flattenable 362 return nullptr; // writer failed to give us the flattenable
356 } 363 }
357 } 364 }
358 365
359 // if we get here, factory may still be null, but if that is the case, the 366 // if we get here, factory may still be null, but if that is the case, the
360 // failure was ours, not the writer. 367 // failure was ours, not the writer.
361 SkFlattenable* obj = nullptr; 368 SkFlattenable* obj = nullptr;
362 uint32_t sizeRecorded = fReader.readU32(); 369 uint32_t sizeRecorded = fReader.readU32();
363 if (factory) { 370 if (factory) {
364 size_t offset = fReader.offset(); 371 size_t offset = fReader.offset();
365 obj = (*factory)(*this); 372 obj = (*factory)(*this);
366 // check that we read the amount we expected 373 // check that we read the amount we expected
367 size_t sizeRead = fReader.offset() - offset; 374 size_t sizeRead = fReader.offset() - offset;
368 if (sizeRecorded != sizeRead) { 375 if (sizeRecorded != sizeRead) {
369 // we could try to fix up the offset... 376 this->validate(false);
370 sk_throw(); 377 return nullptr;
371 } 378 }
372 } else { 379 } else {
373 // we must skip the remaining data 380 // we must skip the remaining data
374 fReader.skip(sizeRecorded); 381 fReader.skip(sizeRecorded);
375 } 382 }
376 return obj; 383 return obj;
377 } 384 }
378 385
379 /** 386 /**
380 * Needs to follow the same pattern as readFlattenable(), but explicitly skip w hatever data 387 * Needs to follow the same pattern as readFlattenable(), but explicitly skip w hatever data
381 * has been written. 388 * has been written.
382 */ 389 */
383 void SkReadBuffer::skipFlattenable() { 390 void SkReadBuffer::skipFlattenable() {
384 if (fFactoryCount > 0) { 391 if (fFactoryCount > 0) {
385 if (0 == fReader.readU32()) { 392 if (0 == fReader.readU32()) {
386 return; 393 return;
387 } 394 }
388 } else if (fFactoryTDArray) { 395 } else if (fFactoryTDArray) {
389 if (0 == fReader.readU32()) { 396 if (0 == fReader.readU32()) {
390 return; 397 return;
391 } 398 }
392 } else { 399 } else {
393 if (nullptr == this->readFunctionPtr()) { 400 if (nullptr == this->readFunctionPtr()) {
394 return; 401 return;
395 } 402 }
396 } 403 }
397 uint32_t sizeRecorded = fReader.readU32(); 404 uint32_t sizeRecorded = fReader.readU32();
398 fReader.skip(sizeRecorded); 405 fReader.skip(sizeRecorded);
399 } 406 }
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698