src/core/SkColorSpace_ICC.cpp - Issue 2257983003: Add checks for bogus profiles to SkColorSpace::NewICC()

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/core/SkColorSpace_ICC.cpp

Issue 2257983003: Add checks for bogus profiles to SkColorSpace::NewICC() (Closed) Base URL: https://skia.googlesource.com/skia.git@master

Patch Set: Relax constraints Created 4 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/core/SkColorSpace_ICC.cpp

diff --git a/src/core/SkColorSpace_ICC.cpp b/src/core/SkColorSpace_ICC.cpp

index b33e6b5ba19bad70d7c32352fb403f1f71bdbf25..3895e47b0eb4b7bf8a73b95b53e7597e80c8fae3 100644

--- a/src/core/SkColorSpace_ICC.cpp

+++ b/src/core/SkColorSpace_ICC.cpp

@@ -110,7 +110,7 @@ struct ICCProfileHeader {

}

bool valid() const {

- return_if_false(fSize >= kICCHeaderSize, "Size is too small");

+ SkASSERT(fSize >= kICCHeaderSize);

uint8_t majorVersion = fVersion >> 24;

return_if_false(majorVersion <= 4, "Unsupported version");

@@ -149,6 +149,7 @@ struct ICCProfileHeader {

color_space_almost_equal(SkFixedToFloat(fIlluminantXYZ[2]), 0.82491f),

"Illuminant must be D50");

+ // Arbitrary, but there's no reason to exceed 100 tags.

return_if_false(fTagCount <= 100, "Too many tags");

return true;

@@ -291,6 +292,13 @@ static SkGammas::Type parse_gamma(SkGammas::Data* outData, SkColorSpaceTransferF

case kTAG_CurveType: {

uint32_t count = read_big_endian_u32(src + 8);

+ // This is arbitrary, but one million entries is more than enough for a table.

+ static constexpr size_t kMaxGammaTableSize = 2 << 20;

+ if (count > kMaxGammaTableSize) {

+ SkColorSpacePrintf("Gamma table too large");

+ return SkGammas::Type::kNone_Type;

+ }

// tagBytes = 12 + 2 * count

// We need to do safe addition here to avoid integer overflow.

if (!safe_add(count, count, &tagBytes) ||

@@ -873,7 +881,10 @@ static bool tag_equals(const ICCTag* a, const ICCTag* b, const uint8_t* base) {

}

sk_sp<SkColorSpace> SkColorSpace::NewICC(const void* input, size_t len) {

- if (!input || len < kICCHeaderSize) {

+ // This is arbitrary, but there's no need for a sane profile to exceed 4 MB.

+ static constexpr size_t kMaxICCSize = 2 << 22;

+ if (!input || kICCHeaderSize > len || len > kMaxICCSize) {

return_null("Data is null or not large enough to contain an ICC profile");

}

« no previous file with comments | « no previous file | tests/ColorSpaceTest.cpp » ('j') | no next file with comments »