Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(135)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/core/SkValidatingReadBuffer.cpp

Issue 255693003: Fixed issue found by clusterfuzz (Closed) Base URL: https://skia.googlesource.com/skia.git@master
Patch Set: Created 6 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | tests/SerializationTest.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/core/SkValidatingReadBuffer.cpp
diff --git a/src/core/SkValidatingReadBuffer.cpp b/src/core/SkValidatingReadBuffer.cpp
index 95bf83c847d313fdd6af4dbb7ad5f6291f9eacdf..0dbe9deae46843a8bc9bc090bc74b9a563bd37b9 100644
--- a/src/core/SkValidatingReadBuffer.cpp
+++ b/src/core/SkValidatingReadBuffer.cpp
@@ -91,7 +91,13 @@ int32_t SkValidatingReadBuffer::read32() {
}
void SkValidatingReadBuffer::readString(SkString* string) {
- const size_t len = this->readInt();
+ const int32_t len32 = this->readInt();
Stephen White 2014/04/28 19:48:33 I think we should be reading a uint32_t here (sinc
sugoi1 2014/04/28 20:15:20 Done.
+ // Make sure len32 is a positive number before it gets converted to an unsigned integer format
+ if (!this->validate(len32 >= 0)) {
+ return;
+ }
+
+ const size_t len(len32);
const void* ptr = fReader.peek();
const char* cptr = (const char*)ptr;
« no previous file with comments | « no previous file | tests/SerializationTest.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698