Chromium Code Reviews Chromium Code Reviews
Issue 2230163002:
Prevent overflows when using gamma_alloc_size (Closed)
Base URL: https://skia.googlesource.com/skia@master| Index: src/core/SkColorSpace_ICC.cpp |
| diff --git a/src/core/SkColorSpace_ICC.cpp b/src/core/SkColorSpace_ICC.cpp |
| old mode 100644 |
| new mode 100755 |
| index f8ad47a6cdb0565d0c489132c545336fef221d48..5bbef3e4e56fb73705456a7049c405f59269721c |
| --- a/src/core/SkColorSpace_ICC.cpp |
| +++ b/src/core/SkColorSpace_ICC.cpp |
| @@ -787,7 +787,8 @@ static bool load_a2b0(sk_sp<SkColorLookUpTable>* colorLUT, SkColorSpace::GammaNa |
| if (SkGammas::Type::kNamed_Type == rType) { |
| *gammaNamed = rData.fNamed; |
| } else { |
| - size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(rType, rData); |
| + size_t allocSize = sizeof(SkGammas); |
| + return_if_false(safe_add(allocSize, gamma_alloc_size(rType, rData), &allocSize), "bad size"); |
|
msarett
2016/08/10 17:24:51
nit: Lines should be less than 100 chars.
nit: Ch
|
| void* memory = sk_malloc_throw(allocSize); |
| *gammas = sk_sp<SkGammas>(new (memory) SkGammas()); |
| load_gammas(memory, 0, rType, &rData, rParams, rTagPtr); |
| @@ -819,9 +820,10 @@ static bool load_a2b0(sk_sp<SkColorLookUpTable>* colorLUT, SkColorSpace::GammaNa |
| tagLen); |
| handle_invalid_gamma(&bType, &bData); |
| - size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(rType, rData) |
| - + gamma_alloc_size(gType, gData) |
| - + gamma_alloc_size(bType, bData); |
| + size_t allocSize = sizeof(SkGammas); |
| + return_if_false(safe_add(allocSize, gamma_alloc_size(rType, rData), &allocSize), "bad size"); |
|
msarett
2016/08/10 17:24:51
Same nits on these three lines as well.
|
| + return_if_false(safe_add(allocSize, gamma_alloc_size(gType, gData), &allocSize), "bad size"); |
| + return_if_false(safe_add(allocSize, gamma_alloc_size(bType, bData), &allocSize), "bad size"); |
| void* memory = sk_malloc_throw(allocSize); |
| *gammas = sk_sp<SkGammas>(new (memory) SkGammas()); |
| @@ -970,7 +972,10 @@ sk_sp<SkColorSpace> SkColorSpace::NewICC(const void* input, size_t len) { |
| if (SkGammas::Type::kNamed_Type == type) { |
| gammaNamed = data.fNamed; |
| } else { |
| - size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(type, data); |
| + size_t allocSize = sizeof(SkGammas); |
| + if (!safe_add(allocSize, gamma_alloc_size(type, data), &allocSize)) { |
| + return_null("bad size"); |
|
msarett
2016/08/10 17:24:51
"SkGammas struct is too large to allocate"
|
| + } |
| void* memory = sk_malloc_throw(allocSize); |
| gammas = sk_sp<SkGammas>(new (memory) SkGammas()); |
| load_gammas(memory, 0, type, &data, params, r->addr(base)); |
| @@ -1002,9 +1007,12 @@ sk_sp<SkColorSpace> SkColorSpace::NewICC(const void* input, size_t len) { |
| parse_gamma(&bData, &bParams, &tagBytes, b->addr(base), b->fLength); |
| handle_invalid_gamma(&bType, &bData); |
| - size_t allocSize = sizeof(SkGammas) + gamma_alloc_size(rType, rData) |
| - + gamma_alloc_size(gType, gData) |
| - + gamma_alloc_size(bType, bData); |
| + size_t allocSize = sizeof(SkGammas); |
| + if (!safe_add(allocSize, gamma_alloc_size(rType, rData), &allocSize) || |
| + !safe_add(allocSize, gamma_alloc_size(gType, gData), &allocSize) || |
| + !safe_add(allocSize, gamma_alloc_size(bType, bData), &allocSize)) { |
|
msarett
2016/08/10 17:24:51
nit: Move brace to it's own line
|
| + return_null("bad size"); |
|
msarett
2016/08/10 17:24:51
"SkGammas struct is too large to allocate"
|
| + } |
| void* memory = sk_malloc_throw(allocSize); |
| gammas = sk_sp<SkGammas>(new (memory) SkGammas()); |
