| OLD | NEW |
|---|
| 1 | 1 |
| 2 /* | 2 /* |
| 3 * Copyright 2006 The Android Open Source Project | 3 * Copyright 2006 The Android Open Source Project |
| 4 * | 4 * |
| 5 * Use of this source code is governed by a BSD-style license that can be | 5 * Use of this source code is governed by a BSD-style license that can be |
| 6 * found in the LICENSE file. | 6 * found in the LICENSE file. |
| 7 */ | 7 */ |
| 8 | 8 |
| 9 | 9 |
| 10 #include "SkRegionPriv.h" | 10 #include "SkRegionPriv.h" |
| (...skipping 1082 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1093 | 1093 |
| 1094 bool SkRegion::op(const SkRegion& rgna, const SkRegion& rgnb, Op op) { | 1094 bool SkRegion::op(const SkRegion& rgna, const SkRegion& rgnb, Op op) { |
| 1095 SkDEBUGCODE(this->validate();) | 1095 SkDEBUGCODE(this->validate();) |
| 1096 return SkRegion::Oper(rgna, rgnb, op, this); | 1096 return SkRegion::Oper(rgna, rgnb, op, this); |
| 1097 } | 1097 } |
| 1098 | 1098 |
| 1099 /////////////////////////////////////////////////////////////////////////////// | 1099 /////////////////////////////////////////////////////////////////////////////// |
| 1100 | 1100 |
| 1101 #include "SkBuffer.h" | 1101 #include "SkBuffer.h" |
| 1102 | 1102 |
| 1103 uint32_t SkRegion::writeToMemory(void* storage) const { | 1103 size_t SkRegion::writeToMemory(void* storage) const { |
| 1104 if (NULL == storage) { | 1104 if (NULL == storage) { |
| 1105 uint32_t size = sizeof(int32_t); // -1 (empty), 0 (rect), runCount | 1105 size_t size = sizeof(int32_t); // -1 (empty), 0 (rect), runCount |
| 1106 if (!this->isEmpty()) { | 1106 if (!this->isEmpty()) { |
| 1107 size += sizeof(fBounds); | 1107 size += sizeof(fBounds); |
| 1108 if (this->isComplex()) { | 1108 if (this->isComplex()) { |
| 1109 size += 2 * sizeof(int32_t); // ySpanCount + intervalCount | 1109 size += 2 * sizeof(int32_t); // ySpanCount + intervalCount |
| 1110 size += fRunHead->fRunCount * sizeof(RunType); | 1110 size += fRunHead->fRunCount * sizeof(RunType); |
| 1111 } | 1111 } |
| 1112 } | 1112 } |
| 1113 return size; | 1113 return size; |
| 1114 } | 1114 } |
| 1115 | 1115 |
| (...skipping 10 matching lines...) Expand all Loading... |
| 1126 if (!isRect) { | 1126 if (!isRect) { |
| 1127 buffer.write32(fRunHead->getYSpanCount()); | 1127 buffer.write32(fRunHead->getYSpanCount()); |
| 1128 buffer.write32(fRunHead->getIntervalCount()); | 1128 buffer.write32(fRunHead->getIntervalCount()); |
| 1129 buffer.write(fRunHead->readonly_runs(), | 1129 buffer.write(fRunHead->readonly_runs(), |
| 1130 fRunHead->fRunCount * sizeof(RunType)); | 1130 fRunHead->fRunCount * sizeof(RunType)); |
| 1131 } | 1131 } |
| 1132 } | 1132 } |
| 1133 return buffer.pos(); | 1133 return buffer.pos(); |
| 1134 } | 1134 } |
| 1135 | 1135 |
| 1136 uint32_t SkRegion::readFromMemory(const void* storage) { | 1136 size_t SkRegion::readFromMemory(const void* storage, size_t length) { |
| 1137 SkRBuffer buffer(storage); | 1137 SkRBufferWithSizeCheck buffer(storage, length); |
| 1138 SkRegion tmp; | 1138 SkRegion tmp; |
| 1139 int32_t count; | 1139 int32_t count; |
| 1140 | 1140 |
| 1141 count = buffer.readS32(); | 1141 count = buffer.readS32(); |
| 1142 if (count >= 0) { | 1142 if (count >= 0) { |
| 1143 buffer.read(&tmp.fBounds, sizeof(tmp.fBounds)); | 1143 buffer.read(&tmp.fBounds, sizeof(tmp.fBounds)); |
| 1144 if (count == 0) { | 1144 if (count == 0) { |
| 1145 tmp.fRunHead = SkRegion_gRectRunHeadPtr; | 1145 tmp.fRunHead = SkRegion_gRectRunHeadPtr; |
| 1146 } else { | 1146 } else { |
| 1147 int32_t ySpanCount = buffer.readS32(); | 1147 int32_t ySpanCount = buffer.readS32(); |
| 1148 int32_t intervalCount = buffer.readS32(); | 1148 int32_t intervalCount = buffer.readS32(); |
| 1149 tmp.allocateRuns(count, ySpanCount, intervalCount); | 1149 if (buffer.isValid()) { |
| 1150 buffer.read(tmp.fRunHead->writable_runs(), count * sizeof(RunType)); | 1150 tmp.allocateRuns(count, ySpanCount, intervalCount); |
| 1151 buffer.read(tmp.fRunHead->writable_runs(), count * sizeof(RunTyp
e)); |
| 1152 } |
| 1151 } | 1153 } |
| 1152 } | 1154 } |
| 1153 this->swap(tmp); | 1155 size_t sizeRead = 0; |
| 1154 return buffer.pos(); | 1156 if (buffer.isValid()) { |
| 1157 this->swap(tmp); |
| 1158 sizeRead = buffer.pos(); |
| 1159 } |
| 1160 return sizeRead; |
| 1155 } | 1161 } |
| 1156 | 1162 |
| 1157 /////////////////////////////////////////////////////////////////////////////// | 1163 /////////////////////////////////////////////////////////////////////////////// |
| 1158 | 1164 |
| 1159 const SkRegion& SkRegion::GetEmptyRegion() { | 1165 const SkRegion& SkRegion::GetEmptyRegion() { |
| 1160 static SkRegion gEmpty; | 1166 static SkRegion gEmpty; |
| 1161 return gEmpty; | 1167 return gEmpty; |
| 1162 } | 1168 } |
| 1163 | 1169 |
| 1164 /////////////////////////////////////////////////////////////////////////////// | 1170 /////////////////////////////////////////////////////////////////////////////// |
| (...skipping 308 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1473 bool SkRegion::debugSetRuns(const RunType runs[], int count) { | 1479 bool SkRegion::debugSetRuns(const RunType runs[], int count) { |
| 1474 // we need to make a copy, since the real method may modify the array, and | 1480 // we need to make a copy, since the real method may modify the array, and |
| 1475 // so it cannot be const. | 1481 // so it cannot be const. |
| 1476 | 1482 |
| 1477 SkAutoTArray<RunType> storage(count); | 1483 SkAutoTArray<RunType> storage(count); |
| 1478 memcpy(storage.get(), runs, count * sizeof(RunType)); | 1484 memcpy(storage.get(), runs, count * sizeof(RunType)); |
| 1479 return this->setRuns(storage.get(), count); | 1485 return this->setRuns(storage.get(), count); |
| 1480 } | 1486 } |
| 1481 | 1487 |
| 1482 #endif | 1488 #endif |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 41253002:
Checking structure sizes before reading them from memory to avoid overflowing the buffer's stream. (Closed)
Base URL: https://skia.googlecode.com/svn/trunk