Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/core/SkValidatingReadBuffer.cpp

Issue 41253002: Checking structure sizes before reading them from memory to avoid overflowing the buffer's stream. (Closed) Base URL: https://skia.googlecode.com/svn/trunk
Patch Set: Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« src/core/SkPathRef.cpp ('K') | « src/core/SkRegion.cpp ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright 2013 Google Inc. 2 * Copyright 2013 Google Inc.
3 * 3 *
4 * Use of this source code is governed by a BSD-style license that can be 4 * Use of this source code is governed by a BSD-style license that can be
5 * found in the LICENSE file. 5 * found in the LICENSE file.
6 */ 6 */
7 7
8 #include "SkBitmap.h" 8 #include "SkBitmap.h"
9 #include "SkErrorInternals.h" 9 #include "SkErrorInternals.h"
10 #include "SkValidatingReadBuffer.h" 10 #include "SkValidatingReadBuffer.h"
(...skipping 95 matching lines...) Expand 10 before | Expand all | Expand 10 after
106 } 106 }
107 return data; 107 return data;
108 } 108 }
109 109
110 void SkValidatingReadBuffer::readPoint(SkPoint* point) { 110 void SkValidatingReadBuffer::readPoint(SkPoint* point) {
111 point->fX = fReader.readScalar(); 111 point->fX = fReader.readScalar();
112 point->fY = fReader.readScalar(); 112 point->fY = fReader.readScalar();
113 } 113 }
114 114
115 void SkValidatingReadBuffer::readMatrix(SkMatrix* matrix) { 115 void SkValidatingReadBuffer::readMatrix(SkMatrix* matrix) {
116 const size_t size = matrix->readFromMemory(fReader.peek()); 116 const void* addr = this->skip(SkMatrix::SizeToRead());
117 fError = fError || (SkAlign4(size) != size);
118 if (!fError) { 117 if (!fError) {
119 (void)this->skip(size); 118 const size_t size = matrix->readFromMemory(addr);
119 fError = fError || (SkAlign4(size) != size);
120 } 120 }
121 } 121 }
122 122
123 void SkValidatingReadBuffer::readIRect(SkIRect* rect) { 123 void SkValidatingReadBuffer::readIRect(SkIRect* rect) {
124 const void* ptr = this->skip(sizeof(SkIRect)); 124 const void* ptr = this->skip(sizeof(SkIRect));
125 if (!fError) { 125 if (!fError) {
126 memcpy(rect, ptr, sizeof(SkIRect)); 126 memcpy(rect, ptr, sizeof(SkIRect));
127 } 127 }
128 } 128 }
129 129
130 void SkValidatingReadBuffer::readRect(SkRect* rect) { 130 void SkValidatingReadBuffer::readRect(SkRect* rect) {
131 const void* ptr = this->skip(sizeof(SkRect)); 131 const void* ptr = this->skip(sizeof(SkRect));
132 if (!fError) { 132 if (!fError) {
133 memcpy(rect, ptr, sizeof(SkRect)); 133 memcpy(rect, ptr, sizeof(SkRect));
134 } 134 }
135 } 135 }
136 136
137 void SkValidatingReadBuffer::readRegion(SkRegion* region) { 137 void SkValidatingReadBuffer::readRegion(SkRegion* region) {
138 const size_t size = region->readFromMemory(fReader.peek()); 138 const void* addr = this->skip(SkRegion::SizeToRead(*this));
139 fError = fError || (SkAlign4(size) != size);
140 if (!fError) { 139 if (!fError) {
141 (void)this->skip(size); 140 const size_t size = region->readFromMemory(addr);
141 fError = fError || (SkAlign4(size) != size);
142 } 142 }
143 } 143 }
144 144
145 void SkValidatingReadBuffer::readPath(SkPath* path) { 145 void SkValidatingReadBuffer::readPath(SkPath* path) {
146 const size_t size = path->readFromMemory(fReader.peek()); 146 const void* addr = this->skip(SkPath::SizeToRead(*this));
147 fError = fError || (SkAlign4(size) != size);
148 if (!fError) { 147 if (!fError) {
149 (void)this->skip(size); 148 const size_t size = path->readFromMemory(addr);
149 fError = fError || (SkAlign4(size) != size);
150 } 150 }
151 } 151 }
152 152
153 uint32_t SkValidatingReadBuffer::readByteArray(void* value) { 153 uint32_t SkValidatingReadBuffer::readByteArray(void* value) {
154 const uint32_t length = this->readUInt(); 154 const uint32_t length = this->readUInt();
155 const void* ptr = this->skip(SkAlign4(length)); 155 const void* ptr = this->skip(SkAlign4(length));
156 if (!fError) { 156 if (!fError) {
157 memcpy(value, ptr, length); 157 memcpy(value, ptr, length);
158 return length; 158 return length;
159 } 159 }
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after
198 const uint32_t byteLength = count * sizeof(SkScalar); 198 const uint32_t byteLength = count * sizeof(SkScalar);
199 const void* ptr = this->skip(SkAlign4(byteLength)); 199 const void* ptr = this->skip(SkAlign4(byteLength));
200 if (!fError) { 200 if (!fError) {
201 memcpy(values, ptr, byteLength); 201 memcpy(values, ptr, byteLength);
202 return count; 202 return count;
203 } 203 }
204 return 0; 204 return 0;
205 } 205 }
206 206
207 uint32_t SkValidatingReadBuffer::getArrayCount() { 207 uint32_t SkValidatingReadBuffer::getArrayCount() {
208 const size_t inc = sizeof(uint32_t);
209 fError = fError || !IsPtrAlign4(fReader.peek()) || !fReader.isAvailable(inc) ;
208 return *(uint32_t*)fReader.peek(); 210 return *(uint32_t*)fReader.peek();
209 } 211 }
210 212
211 void SkValidatingReadBuffer::readBitmap(SkBitmap* bitmap) { 213 void SkValidatingReadBuffer::readBitmap(SkBitmap* bitmap) {
212 const int width = this->readInt(); 214 const int width = this->readInt();
213 const int height = this->readInt(); 215 const int height = this->readInt();
214 const size_t length = this->readUInt(); 216 const size_t length = this->readUInt();
215 // A size of zero means the SkBitmap was simply flattened. 217 // A size of zero means the SkBitmap was simply flattened.
216 fError = fError || (length != 0); 218 fError = fError || (length != 0);
217 if (fError) { 219 if (fError) {
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after
255 delete obj; 257 delete obj;
256 obj = NULL; 258 obj = NULL;
257 } 259 }
258 } else { 260 } else {
259 // we must skip the remaining data 261 // we must skip the remaining data
260 this->skip(sizeRecorded); 262 this->skip(sizeRecorded);
261 SkASSERT(false); 263 SkASSERT(false);
262 } 264 }
263 return obj; 265 return obj;
264 } 266 }
OLDNEW
« src/core/SkPathRef.cpp ('K') | « src/core/SkRegion.cpp ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698