SkColorSpace::NewICC fix integer overflow caught by fuzzer

src/core/SkColorSpace.cpp

 /*
  * Copyright 2016 Google Inc.
  *
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include "SkColorSpace.h"
 #include "SkColorSpace_Base.h"
 #include "SkEndian.h"
@@ skipping 296 matching lines @@
                         color_space_almost_equal(SkFixedToFloat(fIlluminantXYZ[1]), 1.00000f) &&
                         color_space_almost_equal(SkFixedToFloat(fIlluminantXYZ[2]), 0.82491f),
                         "Illuminant must be D50");
 
         return_if_false(fTagCount <= 100, "Too many tags");
 
         return true;
     }
 };
 
+template <class T>
+static bool safe_add(T arg1, T arg2, size_t* result) {
+    SkASSERT(arg1 >= 0);
+    SkASSERT(arg2 >= 0);
+    if (arg1 >= 0 && arg2 <= std::numeric_limits<T>::max() - arg1) {
+        T sum = arg1 + arg2;
+        if (sum <= std::numeric_limits<size_t>::max()) {
+            *result = static_cast<size_t>(sum);
+            return true;
+        }
+    }
+    return false;
+}
+
 struct ICCTag {
     uint32_t fSignature;
     uint32_t fOffset;
     uint32_t fLength;
 
     const uint8_t* init(const uint8_t* src) {
         fSignature = read_big_endian_uint(src);
         fOffset = read_big_endian_uint(src + 4);
         fLength = read_big_endian_uint(src + 8);
         return src + 12;
     }
 
     bool valid(size_t len) {
-        return_if_false(fOffset + fLength <= len, "Tag too large for ICC profile");
+        size_t tagEnd;
+        return_if_false(safe_add(fOffset, fLength, &tagEnd),
+                        "Tag too large, overflows integer addition");
+        return_if_false(tagEnd <= len, "Tag too large for ICC profile");
         return true;
     }
 
     const uint8_t* addr(const uint8_t* src) const {
         return src + fOffset;
     }
 
     static const ICCTag* Find(const ICCTag tags[], int count, uint32_t signature) {
         for (int i = 0; i < count; ++i) {
             if (tags[i].fSignature == signature) {
@@ skipping 18 matching lines @@
         return false;
     }
 
     dst[0] = SkFixedToFloat(read_big_endian_int(src + 8));
     dst[1] = SkFixedToFloat(read_big_endian_int(src + 12));
     dst[2] = SkFixedToFloat(read_big_endian_int(src + 16));
     SkColorSpacePrintf("XYZ %g %g %g\n", dst[0], dst[1], dst[2]);
     return true;
 }
 
-template <class T>
-static bool safe_add(T arg1, T arg2, size_t* result) {
-    SkASSERT(arg1 >= 0);
-    SkASSERT(arg2 >= 0);
-    if (arg1 >= 0 && arg2 <= std::numeric_limits<T>::max() - arg1) {
-        T sum = arg1 + arg2;
-        if (sum <= std::numeric_limits<size_t>::max()) {
-            *result = static_cast<size_t>(sum);
-            return true;
-        }
-    }
-    return false;
-}
-
 static constexpr uint32_t kTAG_CurveType     = SkSetFourByteTag('c', 'u', 'r', 'v');
 static constexpr uint32_t kTAG_ParaCurveType = SkSetFourByteTag('p', 'a', 'r', 'a');
 
 bool load_gammas(SkGammaCurve* gammas, uint32_t numGammas, const uint8_t* src, size_t len) {
     for (uint32_t i = 0; i < numGammas; i++) {
         if (len < 12) {
             // FIXME (msarett):
             // We could potentially return false here after correctly parsing *some* of the
             // gammas correctly.  Should we somehow try to indicate a partial success?
             SkColorSpacePrintf("gamma tag is too small (%d bytes)", len);
@@ skipping 408 matching lines @@
     if (0 != offsetToMatrix && offsetToMatrix < len) {
         if (!load_matrix(toXYZ, src + offsetToMatrix, len - offsetToMatrix)) {
             SkColorSpacePrintf("Failed to read matrix from A to B tag.\n");
         }
     }
 
     return true;
 }
 
 sk_sp<SkColorSpace> SkColorSpace::NewICC(const void* input, size_t len) {
-    if (len < kICCHeaderSize) {
-        return_null("Data is not large enough to contain an ICC profile");
+    if (!input || len < kICCHeaderSize) {
+        return_null("Data is null or not large enough to contain an ICC profile");
     }
 
     // Create our own copy of the input.
     void* memory = sk_malloc_throw(len);
     memcpy(memory, input, len);
     sk_sp<SkData> data = SkData::MakeFromMalloc(memory, len);
     const void* base = data->data();
     const uint8_t* ptr = (const uint8_t*) base;
 
     // Read the ICC profile header and check to make sure that it is valid.
@@ skipping 315 matching lines @@
     ptr32[4] = SkEndian_SwapBE32(0x000116cc);
     ptr += kTAG_XYZ_Bytes;
 
     // Write copyright tag
     memcpy(ptr, gEmptyTextTag, sizeof(gEmptyTextTag));
 
     // TODO (msarett): Should we try to hold onto the data so we can return immediately if
     //                 the client calls again?
     return SkData::MakeFromMalloc(profile.release(), kICCProfileSize);
 }