Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(631)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/core/SkRegion.cpp

Issue 1961463003: Detect an invalid intervalCount in SkRegion during deserialiation. (Closed) Base URL: https://chromium.googlesource.com/skia.git@master
Patch Set: Created 4 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright 2006 The Android Open Source Project 2 * Copyright 2006 The Android Open Source Project
3 * 3 *
4 * Use of this source code is governed by a BSD-style license that can be 4 * Use of this source code is governed by a BSD-style license that can be
5 * found in the LICENSE file. 5 * found in the LICENSE file.
6 */ 6 */
7 7
8 8
9 #include "SkAtomics.h" 9 #include "SkAtomics.h"
10 #include "SkRegionPriv.h" 10 #include "SkRegionPriv.h"
(...skipping 1118 matching lines...) Expand 10 before | Expand all | Expand 10 after
1129 size_t SkRegion::readFromMemory(const void* storage, size_t length) { 1129 size_t SkRegion::readFromMemory(const void* storage, size_t length) {
1130 SkRBufferWithSizeCheck buffer(storage, length); 1130 SkRBufferWithSizeCheck buffer(storage, length);
1131 SkRegion tmp; 1131 SkRegion tmp;
1132 int32_t count; 1132 int32_t count;
1133 1133
1134 if (buffer.readS32(&count) && (count >= 0) && buffer.read(&tmp.fBounds, size of(tmp.fBounds))) { 1134 if (buffer.readS32(&count) && (count >= 0) && buffer.read(&tmp.fBounds, size of(tmp.fBounds))) {
1135 if (count == 0) { 1135 if (count == 0) {
1136 tmp.fRunHead = SkRegion_gRectRunHeadPtr; 1136 tmp.fRunHead = SkRegion_gRectRunHeadPtr;
1137 } else { 1137 } else {
1138 int32_t ySpanCount, intervalCount; 1138 int32_t ySpanCount, intervalCount;
1139 if (buffer.readS32(&ySpanCount) && buffer.readS32(&intervalCount)) { 1139 if (buffer.readS32(&ySpanCount) && buffer.readS32(&intervalCount) &&
1140 intervalCount > 1) {
1140 tmp.allocateRuns(count, ySpanCount, intervalCount); 1141 tmp.allocateRuns(count, ySpanCount, intervalCount);
1141 buffer.read(tmp.fRunHead->writable_runs(), count * sizeof(RunTyp e)); 1142 buffer.read(tmp.fRunHead->writable_runs(), count * sizeof(RunTyp e));
1142 } 1143 }
1143 } 1144 }
1144 } 1145 }
1145 size_t sizeRead = 0; 1146 size_t sizeRead = 0;
1146 if (buffer.isValid()) { 1147 if (buffer.isValid()) {
1147 this->swap(tmp); 1148 this->swap(tmp);
1148 sizeRead = buffer.pos(); 1149 sizeRead = buffer.pos();
1149 } 1150 }
(...skipping 319 matching lines...) Expand 10 before | Expand all | Expand 10 after
1469 bool SkRegion::debugSetRuns(const RunType runs[], int count) { 1470 bool SkRegion::debugSetRuns(const RunType runs[], int count) {
1470 // we need to make a copy, since the real method may modify the array, and 1471 // we need to make a copy, since the real method may modify the array, and
1471 // so it cannot be const. 1472 // so it cannot be const.
1472 1473
1473 SkAutoTArray<RunType> storage(count); 1474 SkAutoTArray<RunType> storage(count);
1474 memcpy(storage.get(), runs, count * sizeof(RunType)); 1475 memcpy(storage.get(), runs, count * sizeof(RunType));
1475 return this->setRuns(storage.get(), count); 1476 return this->setRuns(storage.get(), count);
1476 } 1477 }
1477 1478
1478 #endif 1479 #endif
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698