Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(4)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/core/SkPathRef.cpp

Issue 1653003004: Fix fuzzer-found deserialization bug in SkPathRef (Closed) Base URL: https://chromium.googlesource.com/skia.git@master
Patch Set: Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright 2013 Google Inc. 2 * Copyright 2013 Google Inc.
3 * 3 *
4 * Use of this source code is governed by a BSD-style license that can be 4 * Use of this source code is governed by a BSD-style license that can be
5 * found in the LICENSE file. 5 * found in the LICENSE file.
6 */ 6 */
7 7
8 #include "SkBuffer.h" 8 #include "SkBuffer.h"
9 #include "SkOncePtr.h" 9 #include "SkOncePtr.h"
10 #include "SkPath.h" 10 #include "SkPath.h"
11 #include "SkPathRef.h" 11 #include "SkPathRef.h"
12 #include <limits>
12 13
13 ////////////////////////////////////////////////////////////////////////////// 14 //////////////////////////////////////////////////////////////////////////////
14 SkPathRef::Editor::Editor(SkAutoTUnref<SkPathRef>* pathRef, 15 SkPathRef::Editor::Editor(SkAutoTUnref<SkPathRef>* pathRef,
15 int incReserveVerbs, 16 int incReserveVerbs,
16 int incReservePoints) 17 int incReservePoints)
17 { 18 {
18 if ((*pathRef)->unique()) { 19 if ((*pathRef)->unique()) {
19 (*pathRef)->incReserve(incReserveVerbs, incReservePoints); 20 (*pathRef)->incReserve(incReserveVerbs, incReservePoints);
20 } else { 21 } else {
21 SkPathRef* copy = new SkPathRef; 22 SkPathRef* copy = new SkPathRef;
(...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after
129 delete ref; 130 delete ref;
130 return nullptr; 131 return nullptr;
131 } 132 }
132 133
133 ref->fIsFinite = (packed >> kIsFinite_SerializationShift) & 1; 134 ref->fIsFinite = (packed >> kIsFinite_SerializationShift) & 1;
134 uint8_t segmentMask = (packed >> kSegmentMask_SerializationShift) & 0xF; 135 uint8_t segmentMask = (packed >> kSegmentMask_SerializationShift) & 0xF;
135 bool isOval = (packed >> kIsOval_SerializationShift) & 1; 136 bool isOval = (packed >> kIsOval_SerializationShift) & 1;
136 bool isRRect = (packed >> kIsRRect_SerializationShift) & 1; 137 bool isRRect = (packed >> kIsRRect_SerializationShift) & 1;
137 138
138 int32_t verbCount, pointCount, conicCount; 139 int32_t verbCount, pointCount, conicCount;
140 ptrdiff_t maxPtrDiff = std::numeric_limits<ptrdiff_t>::max();
139 if (!buffer->readU32(&(ref->fGenerationID)) || 141 if (!buffer->readU32(&(ref->fGenerationID)) ||
140 !buffer->readS32(&verbCount) || 142 !buffer->readS32(&verbCount) ||
141 verbCount < 0 || 143 verbCount < 0 ||
144 static_cast<uint32_t>(verbCount) > maxPtrDiff/sizeof(uint8_t) ||
142 !buffer->readS32(&pointCount) || 145 !buffer->readS32(&pointCount) ||
143 pointCount < 0 || 146 pointCount < 0 ||
147 static_cast<uint32_t>(pointCount) > maxPtrDiff/sizeof(SkPoint) ||
148 sizeof(uint8_t) * verbCount + sizeof(SkPoint) * pointCount >
149 static_cast<size_t>(maxPtrDiff) ||
144 !buffer->readS32(&conicCount) || 150 !buffer->readS32(&conicCount) ||
145 conicCount < 0) { 151 conicCount < 0) {
146 delete ref; 152 delete ref;
147 return nullptr; 153 return nullptr;
148 } 154 }
149 155
150 ref->resetToSize(verbCount, pointCount, conicCount); 156 ref->resetToSize(verbCount, pointCount, conicCount);
151 SkASSERT(verbCount == ref->countVerbs()); 157 SkASSERT(verbCount == ref->countVerbs());
152 SkASSERT(pointCount == ref->countPoints()); 158 SkASSERT(pointCount == ref->countPoints());
153 SkASSERT(conicCount == ref->fConicWeights.count()); 159 SkASSERT(conicCount == ref->fConicWeights.count());
(...skipping 494 matching lines...) Expand 10 before | Expand all | Expand 10 after
648 break; 654 break;
649 default: 655 default:
650 SkDEBUGFAIL("Unknown Verb"); 656 SkDEBUGFAIL("Unknown Verb");
651 break; 657 break;
652 } 658 }
653 } 659 }
654 SkASSERT(mask == fSegmentMask); 660 SkASSERT(mask == fSegmentMask);
655 #endif // SK_DEBUG_PATH 661 #endif // SK_DEBUG_PATH
656 } 662 }
657 #endif 663 #endif
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698