Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(359)

Side by Side Diff: third_party/WebKit/Source/platform/image-decoders/bmp/BMPImageDecoderTest.cpp

Issue 2248383002: Fix integer overflow (-INT_MIN) in blink::BMPImageReader::readInfoHeader (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: #5 fix Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | third_party/WebKit/Source/platform/image-decoders/bmp/BMPImageReader.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "platform/image-decoders/bmp/BMPImageDecoder.h" 5 #include "platform/image-decoders/bmp/BMPImageDecoder.h"
6 6
7 #include "platform/SharedBuffer.h" 7 #include "platform/SharedBuffer.h"
8 #include "platform/image-decoders/ImageDecoderTestHelpers.h" 8 #include "platform/image-decoders/ImageDecoderTestHelpers.h"
9 #include "testing/gtest/include/gtest/gtest.h" 9 #include "testing/gtest/include/gtest/gtest.h"
10 #include "wtf/PtrUtil.h" 10 #include "wtf/PtrUtil.h"
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after
60 60
61 std::unique_ptr<ImageDecoder> decoder = createDecoder(); 61 std::unique_ptr<ImageDecoder> decoder = createDecoder();
62 decoder->setData(data.get(), true); 62 decoder->setData(data.get(), true);
63 63
64 ImageFrame* frame = decoder->frameBufferAtIndex(0); 64 ImageFrame* frame = decoder->frameBufferAtIndex(0);
65 ASSERT_TRUE(frame); 65 ASSERT_TRUE(frame);
66 EXPECT_EQ(ImageFrame::FrameEmpty, frame->getStatus()); 66 EXPECT_EQ(ImageFrame::FrameEmpty, frame->getStatus());
67 EXPECT_TRUE(decoder->failed()); 67 EXPECT_TRUE(decoder->failed());
68 } 68 }
69 69
70 TEST(BMPImageDecoderTest, negativeHeight)
71 {
72 // Raw data for a BMP file with 1x1 white pixels and negative height.
73 const unsigned char whiteBMP[] = {
Peter Kasting 2016/08/19 08:42:51 Why not just check these in as actual files in Lay
aleksandar.stojiljkovic 2016/08/19 09:33:04 No problem. I saw the approach used in DeferredIma
74 0x42, 0x4d, 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
75 0x7a, 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x01, 0x00,
76 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x18, 0x00,
77 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x13, 0x0b,
78 0x00, 0x00, 0x13, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
79 0x00, 0x00, 0x00, 0x00, 0x42, 0x47, 0x52, 0x73, 0x00, 0x00,
80 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
81 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
82 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
83 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
84 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
85 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
86 0x00, 0x00, 0xff, 0xff, 0xff, 0xa0,
87 };
88
89 // Raw data for an invalid BMP file with 1xINT32_MIN size.
90 const unsigned char whiteBMPWithInt32MinHeight[] = {
91 0x42, 0x4d, 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
92 0x7a, 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x01, 0x00,
93 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x18, 0x00,
94 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x13, 0x0b,
95 0x00, 0x00, 0x13, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
96 0x00, 0x00, 0x00, 0x00, 0x42, 0x47, 0x52, 0x73, 0x00, 0x00,
97 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
98 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
99 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
100 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
101 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
102 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
103 0x00, 0x00, 0xff, 0xff, 0xff, 0xa0,
104 };
105
106 // Test when not all data is received.
107 RefPtr<SharedBuffer> data = SharedBuffer::create(whiteBMP, sizeof(whiteBMP) - 1);
108 std::unique_ptr<ImageDecoder> decoder = createDecoder();
109 decoder->setData(data.get(), false);
110 EXPECT_TRUE(decoder->isSizeAvailable());
111 EXPECT_EQ(1, decoder->size().width());
112 EXPECT_EQ(1, decoder->size().height());
113 EXPECT_FALSE(decoder->failed());
114
115 // Test if INT32_MIN causes error.
116 data = SharedBuffer::create(whiteBMPWithInt32MinHeight, sizeof(whiteBMPWithI nt32MinHeight) - 1);
117 decoder = createDecoder();
118 decoder->setData(data.get(), false);
119 EXPECT_FALSE(decoder->isSizeAvailable());
120 EXPECT_TRUE(decoder->failed());
121 }
122
70 // This test verifies that calling SharedBuffer::mergeSegmentsIntoBuffer() does 123 // This test verifies that calling SharedBuffer::mergeSegmentsIntoBuffer() does
71 // not break BMP decoding at a critical point: in between a call to decode the 124 // not break BMP decoding at a critical point: in between a call to decode the
72 // size (when BMPImageDecoder stops while it may still have input data to 125 // size (when BMPImageDecoder stops while it may still have input data to
73 // read) and a call to do a full decode. 126 // read) and a call to do a full decode.
74 TEST(BMPImageDecoderTest, mergeBuffer) 127 TEST(BMPImageDecoderTest, mergeBuffer)
75 { 128 {
76 const char* bmpFile = "/LayoutTests/fast/images/resources/lenna.bmp"; 129 const char* bmpFile = "/LayoutTests/fast/images/resources/lenna.bmp";
77 testMergeBuffer(&createDecoder, bmpFile); 130 testMergeBuffer(&createDecoder, bmpFile);
78 } 131 }
79 132
80 } // namespace blink 133 } // namespace blink
OLDNEW
« no previous file with comments | « no previous file | third_party/WebKit/Source/platform/image-decoders/bmp/BMPImageReader.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698