Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(565)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/core/SkColorSpace_ICC.cpp

Issue 2230163002: Prevent overflows when using gamma_alloc_size (Closed) Base URL: https://skia.googlesource.com/skia@master
Patch Set: AUTHORS added. and typo. Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « AUTHORS ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright 2016 Google Inc. 2 * Copyright 2016 Google Inc.
3 * 3 *
4 * Use of this source code is governed by a BSD-style license that can be 4 * Use of this source code is governed by a BSD-style license that can be
5 * found in the LICENSE file. 5 * found in the LICENSE file.
6 */ 6 */
7 7
8 #include "SkColorSpace.h" 8 #include "SkColorSpace.h"
9 #include "SkColorSpace_Base.h" 9 #include "SkColorSpace_Base.h"
10 #include "SkColorSpacePriv.h" 10 #include "SkColorSpacePriv.h"
(...skipping 769 matching lines...) Expand 10 before | Expand all | Expand 10 after
780 handle_invalid_gamma(&rType, &rData); 780 handle_invalid_gamma(&rType, &rData);
781 size_t alignedTagBytes = SkAlign4(tagBytes); 781 size_t alignedTagBytes = SkAlign4(tagBytes);
782 782
783 if ((3 * alignedTagBytes <= tagLen) && 783 if ((3 * alignedTagBytes <= tagLen) &&
784 !memcmp(rTagPtr, rTagPtr + 1 * alignedTagBytes, tagBytes) && 784 !memcmp(rTagPtr, rTagPtr + 1 * alignedTagBytes, tagBytes) &&
785 !memcmp(rTagPtr, rTagPtr + 2 * alignedTagBytes, tagBytes)) 785 !memcmp(rTagPtr, rTagPtr + 2 * alignedTagBytes, tagBytes))
786 { 786 {
787 if (SkGammas::Type::kNamed_Type == rType) { 787 if (SkGammas::Type::kNamed_Type == rType) {
788 *gammaNamed = rData.fNamed; 788 *gammaNamed = rData.fNamed;
789 } else { 789 } else {
790 size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(rType, rD ata); 790 size_t allocSize = sizeof(SkGammas);
791 return_if_false(safe_add(allocSize, gamma_alloc_size(rType, rDat a), &allocSize), "bad size");
msarett 2016/08/10 17:24:51 nit: Lines should be less than 100 chars. nit: Ch
791 void* memory = sk_malloc_throw(allocSize); 792 void* memory = sk_malloc_throw(allocSize);
792 *gammas = sk_sp<SkGammas>(new (memory) SkGammas()); 793 *gammas = sk_sp<SkGammas>(new (memory) SkGammas());
793 load_gammas(memory, 0, rType, &rData, rParams, rTagPtr); 794 load_gammas(memory, 0, rType, &rData, rParams, rTagPtr);
794 795
795 (*gammas)->fRedType = rType; 796 (*gammas)->fRedType = rType;
796 (*gammas)->fGreenType = rType; 797 (*gammas)->fGreenType = rType;
797 (*gammas)->fBlueType = rType; 798 (*gammas)->fBlueType = rType;
798 799
799 (*gammas)->fRedData = rData; 800 (*gammas)->fRedData = rData;
800 (*gammas)->fGreenData = rData; 801 (*gammas)->fGreenData = rData;
(...skipping 11 matching lines...) Expand all
812 813
813 alignedTagBytes = SkAlign4(tagBytes); 814 alignedTagBytes = SkAlign4(tagBytes);
814 const uint8_t* bTagPtr = gTagPtr + alignedTagBytes; 815 const uint8_t* bTagPtr = gTagPtr + alignedTagBytes;
815 tagLen = tagLen > alignedTagBytes ? tagLen - alignedTagBytes : 0; 816 tagLen = tagLen > alignedTagBytes ? tagLen - alignedTagBytes : 0;
816 SkGammas::Data bData; 817 SkGammas::Data bData;
817 SkGammas::Params bParams; 818 SkGammas::Params bParams;
818 SkGammas::Type bType = parse_gamma(&bData, &bParams, &tagBytes, bTag Ptr, 819 SkGammas::Type bType = parse_gamma(&bData, &bParams, &tagBytes, bTag Ptr,
819 tagLen); 820 tagLen);
820 handle_invalid_gamma(&bType, &bData); 821 handle_invalid_gamma(&bType, &bData);
821 822
822 size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(rType, rData) 823 size_t allocSize = sizeof(SkGammas);
823 + gamma_alloc_size(gType, gData) 824 return_if_false(safe_add(allocSize, gamma_alloc_size(rType, rData), &allocSize), "bad size");
msarett 2016/08/10 17:24:51 Same nits on these three lines as well.
824 + gamma_alloc_size(bType, bData) ; 825 return_if_false(safe_add(allocSize, gamma_alloc_size(gType, gData), &allocSize), "bad size");
826 return_if_false(safe_add(allocSize, gamma_alloc_size(bType, bData), &allocSize), "bad size");
825 void* memory = sk_malloc_throw(allocSize); 827 void* memory = sk_malloc_throw(allocSize);
826 *gammas = sk_sp<SkGammas>(new (memory) SkGammas()); 828 *gammas = sk_sp<SkGammas>(new (memory) SkGammas());
827 829
828 uint32_t offset = 0; 830 uint32_t offset = 0;
829 (*gammas)->fRedType = rType; 831 (*gammas)->fRedType = rType;
830 offset += load_gammas(memory, offset, rType, &rData, rParams, rTagPt r); 832 offset += load_gammas(memory, offset, rType, &rData, rParams, rTagPt r);
831 833
832 (*gammas)->fGreenType = gType; 834 (*gammas)->fGreenType = gType;
833 offset += load_gammas(memory, offset, gType, &gData, gParams, gTagPt r); 835 offset += load_gammas(memory, offset, gType, &gData, gParams, gTagPt r);
834 836
(...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after
963 if (tag_equals(r, g, base) && tag_equals(g, b, base)) { 965 if (tag_equals(r, g, base) && tag_equals(g, b, base)) {
964 SkGammas::Data data; 966 SkGammas::Data data;
965 SkGammas::Params params; 967 SkGammas::Params params;
966 SkGammas::Type type = 968 SkGammas::Type type =
967 parse_gamma(&data, &params, &tagBytes, r->addr(b ase), r->fLength); 969 parse_gamma(&data, &params, &tagBytes, r->addr(b ase), r->fLength);
968 handle_invalid_gamma(&type, &data); 970 handle_invalid_gamma(&type, &data);
969 971
970 if (SkGammas::Type::kNamed_Type == type) { 972 if (SkGammas::Type::kNamed_Type == type) {
971 gammaNamed = data.fNamed; 973 gammaNamed = data.fNamed;
972 } else { 974 } else {
973 size_t allocSize = sizeof(SkGammas) + gamma_alloc_si ze(type, data); 975 size_t allocSize = sizeof(SkGammas);
976 if (!safe_add(allocSize, gamma_alloc_size(type, data ), &allocSize)) {
977 return_null("bad size");
msarett 2016/08/10 17:24:51 "SkGammas struct is too large to allocate"
978 }
974 void* memory = sk_malloc_throw(allocSize); 979 void* memory = sk_malloc_throw(allocSize);
975 gammas = sk_sp<SkGammas>(new (memory) SkGammas()); 980 gammas = sk_sp<SkGammas>(new (memory) SkGammas());
976 load_gammas(memory, 0, type, &data, params, r->addr( base)); 981 load_gammas(memory, 0, type, &data, params, r->addr( base));
977 982
978 gammas->fRedType = type; 983 gammas->fRedType = type;
979 gammas->fGreenType = type; 984 gammas->fGreenType = type;
980 gammas->fBlueType = type; 985 gammas->fBlueType = type;
981 986
982 gammas->fRedData = data; 987 gammas->fRedData = data;
983 gammas->fGreenData = data; 988 gammas->fGreenData = data;
(...skipping 11 matching lines...) Expand all
995 SkGammas::Type gType = 1000 SkGammas::Type gType =
996 parse_gamma(&gData, &gParams, &tagBytes, g->addr (base), g->fLength); 1001 parse_gamma(&gData, &gParams, &tagBytes, g->addr (base), g->fLength);
997 handle_invalid_gamma(&gType, &gData); 1002 handle_invalid_gamma(&gType, &gData);
998 1003
999 SkGammas::Data bData; 1004 SkGammas::Data bData;
1000 SkGammas::Params bParams; 1005 SkGammas::Params bParams;
1001 SkGammas::Type bType = 1006 SkGammas::Type bType =
1002 parse_gamma(&bData, &bParams, &tagBytes, b->addr (base), b->fLength); 1007 parse_gamma(&bData, &bParams, &tagBytes, b->addr (base), b->fLength);
1003 handle_invalid_gamma(&bType, &bData); 1008 handle_invalid_gamma(&bType, &bData);
1004 1009
1005 size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(r Type, rData) 1010 size_t allocSize = sizeof(SkGammas);
1006 + gamma_alloc_size(g Type, gData) 1011 if (!safe_add(allocSize, gamma_alloc_size(rType, rData), &allocSize) ||
1007 + gamma_alloc_size(b Type, bData); 1012 !safe_add(allocSize, gamma_alloc_size(gType, gData), &allocSize) ||
1013 !safe_add(allocSize, gamma_alloc_size(bType, bData), &allocSize)) {
msarett 2016/08/10 17:24:51 nit: Move brace to it's own line
1014 return_null("bad size");
msarett 2016/08/10 17:24:51 "SkGammas struct is too large to allocate"
1015 }
1008 void* memory = sk_malloc_throw(allocSize); 1016 void* memory = sk_malloc_throw(allocSize);
1009 gammas = sk_sp<SkGammas>(new (memory) SkGammas()); 1017 gammas = sk_sp<SkGammas>(new (memory) SkGammas());
1010 1018
1011 uint32_t offset = 0; 1019 uint32_t offset = 0;
1012 gammas->fRedType = rType; 1020 gammas->fRedType = rType;
1013 offset += load_gammas(memory, offset, rType, &rData, rPa rams, 1021 offset += load_gammas(memory, offset, rType, &rData, rPa rams,
1014 r->addr(base)); 1022 r->addr(base));
1015 1023
1016 gammas->fGreenType = gType; 1024 gammas->fGreenType = gType;
1017 offset += load_gammas(memory, offset, gType, &gData, gPa rams, 1025 offset += load_gammas(memory, offset, gType, &gData, gPa rams,
(...skipping 267 matching lines...) Expand 10 before | Expand all | Expand 10 after
1285 ptr32[4] = SkEndian_SwapBE32(0x000116cc); 1293 ptr32[4] = SkEndian_SwapBE32(0x000116cc);
1286 ptr += kTAG_XYZ_Bytes; 1294 ptr += kTAG_XYZ_Bytes;
1287 1295
1288 // Write copyright tag 1296 // Write copyright tag
1289 memcpy(ptr, gEmptyTextTag, sizeof(gEmptyTextTag)); 1297 memcpy(ptr, gEmptyTextTag, sizeof(gEmptyTextTag));
1290 1298
1291 // TODO (msarett): Should we try to hold onto the data so we can return imme diately if 1299 // TODO (msarett): Should we try to hold onto the data so we can return imme diately if
1292 // the client calls again? 1300 // the client calls again?
1293 return SkData::MakeFromMalloc(profile.release(), kICCProfileSize); 1301 return SkData::MakeFromMalloc(profile.release(), kICCProfileSize);
1294 } 1302 }
OLDNEW
« no previous file with comments | « AUTHORS ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698