Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(20)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/core/SkPicturePlayback.cpp

Issue 41253002: Checking structure sizes before reading them from memory to avoid overflowing the buffer's stream. (Closed) Base URL: https://skia.googlecode.com/svn/trunk
Patch Set: Adding validation before memory allocation in SkRegion::readFromMemory Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « src/core/SkPath.cpp ('k') | src/core/SkRRect.cpp » ('j') | tests/SerializationTest.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 1
2 /* 2 /*
3 * Copyright 2011 Google Inc. 3 * Copyright 2011 Google Inc.
4 * 4 *
5 * Use of this source code is governed by a BSD-style license that can be 5 * Use of this source code is governed by a BSD-style license that can be
6 * found in the LICENSE file. 6 * found in the LICENSE file.
7 */ 7 */
8 #include "SkPicturePlayback.h" 8 #include "SkPicturePlayback.h"
9 #include "SkPictureRecord.h" 9 #include "SkPictureRecord.h"
10 #include "SkTypeface.h" 10 #include "SkTypeface.h"
(...skipping 979 matching lines...) Expand 10 before | Expand all | Expand 10 after
990 constY, paint); 990 constY, paint);
991 } 991 }
992 } break; 992 } break;
993 case DRAW_RECT: { 993 case DRAW_RECT: {
994 const SkPaint& paint = *getPaint(reader); 994 const SkPaint& paint = *getPaint(reader);
995 canvas.drawRect(reader.skipT<SkRect>(), paint); 995 canvas.drawRect(reader.skipT<SkRect>(), paint);
996 } break; 996 } break;
997 case DRAW_RRECT: { 997 case DRAW_RRECT: {
998 const SkPaint& paint = *getPaint(reader); 998 const SkPaint& paint = *getPaint(reader);
999 SkRRect rrect; 999 SkRRect rrect;
1000 canvas.drawRRect(*reader.readRRect(&rrect), paint); 1000 reader.readRRect(&rrect);
1001 canvas.drawRRect(rrect, paint);
1001 } break; 1002 } break;
1002 case DRAW_SPRITE: { 1003 case DRAW_SPRITE: {
1003 const SkPaint* paint = getPaint(reader); 1004 const SkPaint* paint = getPaint(reader);
1004 const SkBitmap& bitmap = getBitmap(reader); 1005 const SkBitmap& bitmap = getBitmap(reader);
1005 int left = reader.readInt(); 1006 int left = reader.readInt();
1006 int top = reader.readInt(); 1007 int top = reader.readInt();
1007 canvas.drawSprite(bitmap, left, top, paint); 1008 canvas.drawSprite(bitmap, left, top, paint);
1008 } break; 1009 } break;
1009 case DRAW_TEXT: { 1010 case DRAW_TEXT: {
1010 const SkPaint& paint = *getPaint(reader); 1011 const SkPaint& paint = *getPaint(reader);
(...skipping 658 matching lines...) Expand 10 before | Expand all | Expand 10 after
1669 for (index = 0; index < fRegionCount; index++) 1670 for (index = 0; index < fRegionCount; index++)
1670 bufferPtr += snprintf(bufferPtr, DUMP_BUFFER_SIZE - (bufferPtr - pBuffer ), 1671 bufferPtr += snprintf(bufferPtr, DUMP_BUFFER_SIZE - (bufferPtr - pBuffer ),
1671 "region%p, ", &fRegions[index]); 1672 "region%p, ", &fRegions[index]);
1672 if (fRegionCount > 0) 1673 if (fRegionCount > 0)
1673 SkDebugf("%s0};\n", pBuffer); 1674 SkDebugf("%s0};\n", pBuffer);
1674 1675
1675 const_cast<SkPicturePlayback*>(this)->dumpStream(); 1676 const_cast<SkPicturePlayback*>(this)->dumpStream();
1676 } 1677 }
1677 1678
1678 #endif 1679 #endif
OLDNEW
« no previous file with comments | « src/core/SkPath.cpp ('k') | src/core/SkRRect.cpp » ('j') | tests/SerializationTest.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698