Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(740)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/effects/SkMatrixConvolutionImageFilter.cpp

Issue 23548034: Follow up to serialization validation code (Closed) Base URL: https://skia.googlecode.com/svn/trunk
Patch Set: Changed 0xFFFFFFFE for ~1 Created 7 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « src/core/SkValidatingReadBuffer.cpp ('k') | src/effects/SkMergeImageFilter.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/effects/SkMatrixConvolutionImageFilter.cpp
diff --git a/src/effects/SkMatrixConvolutionImageFilter.cpp b/src/effects/SkMatrixConvolutionImageFilter.cpp
index 909facb0c973c2ff77df89dfcddb2a1aca269bf4..cac30e6a491853ab9907a34cd3df68ba2fa52736 100644
--- a/src/effects/SkMatrixConvolutionImageFilter.cpp
+++ b/src/effects/SkMatrixConvolutionImageFilter.cpp
@@ -61,17 +61,27 @@ SkMatrixConvolutionImageFilter::SkMatrixConvolutionImageFilter(SkFlattenableRead
: INHERITED(buffer) {
fKernelSize.fWidth = buffer.readInt();
fKernelSize.fHeight = buffer.readInt();
- uint32_t size = fKernelSize.fWidth * fKernelSize.fHeight;
- fKernel = SkNEW_ARRAY(SkScalar, size);
- SkDEBUGCODE(uint32_t readSize = )buffer.readScalarArray(fKernel);
- SkASSERT(readSize == size);
+ if ((fKernelSize.fWidth >= 1) && (fKernelSize.fHeight >= 1) &&
+ // Make sure size won't be larger than a signed int,
+ // which would still be extremely large for a kernel,
+ // but we don't impose a hard limit for kernel size
+ (SK_MaxS32 / fKernelSize.fWidth >= fKernelSize.fHeight)) {
+ uint32_t size = fKernelSize.fWidth * fKernelSize.fHeight;
+ fKernel = SkNEW_ARRAY(SkScalar, size);
+ uint32_t readSize = buffer.readScalarArray(fKernel);
+ SkASSERT(readSize == size);
+ buffer.validate(readSize == size);
+ } else {
+ fKernel = 0;
+ }
fGain = buffer.readScalar();
fBias = buffer.readScalar();
fTarget.fX = buffer.readInt();
fTarget.fY = buffer.readInt();
fTileMode = (TileMode) buffer.readInt();
fConvolveAlpha = buffer.readBool();
- buffer.validate(SkScalarIsFinite(fGain) &&
+ buffer.validate((fKernel != 0) &&
+ SkScalarIsFinite(fGain) &&
SkScalarIsFinite(fBias) &&
tile_mode_is_valid(fTileMode));
}
« no previous file with comments | « src/core/SkValidatingReadBuffer.cpp ('k') | src/effects/SkMergeImageFilter.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698