Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(973)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/core/SkPath.cpp

Issue 41253002: Checking structure sizes before reading them from memory to avoid overflowing the buffer's stream. (Closed) Base URL: https://skia.googlecode.com/svn/trunk
Patch Set: Removing SkMatrix's writeToMemory, readFromMemory Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« include/core/SkWriter32.h ('K') | « src/core/SkMatrix.cpp ('k') | src/core/SkRegion.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 1
2 /* 2 /*
3 * Copyright 2006 The Android Open Source Project 3 * Copyright 2006 The Android Open Source Project
4 * 4 *
5 * Use of this source code is governed by a BSD-style license that can be 5 * Use of this source code is governed by a BSD-style license that can be
6 * found in the LICENSE file. 6 * found in the LICENSE file.
7 */ 7 */
8 8
9 9
10 #include "SkBuffer.h" 10 #include "SkBuffer.h"
(...skipping 2095 matching lines...) Expand 10 before | Expand all | Expand 10 after
2106 #endif 2106 #endif
2107 2107
2108 buffer.write32(packed); 2108 buffer.write32(packed);
2109 2109
2110 fPathRef->writeToBuffer(&buffer); 2110 fPathRef->writeToBuffer(&buffer);
2111 2111
2112 buffer.padToAlign4(); 2112 buffer.padToAlign4();
2113 return SkToU32(buffer.pos()); 2113 return SkToU32(buffer.pos());
2114 } 2114 }
2115 2115
2116 uint32_t SkPath::readFromMemory(const void* storage) { 2116 uint32_t SkPath::readFromMemory(const void* storage, uint32_t length) {
2117 SkRBuffer buffer(storage); 2117 SkRBufferWithSizeCheck buffer(storage, length);
2118 2118
2119 uint32_t packed = buffer.readS32(); 2119 uint32_t packed = buffer.readS32();
2120 fIsOval = (packed >> kIsOval_SerializationShift) & 1; 2120 fIsOval = (packed >> kIsOval_SerializationShift) & 1;
2121 fConvexity = (packed >> kConvexity_SerializationShift) & 0xFF; 2121 fConvexity = (packed >> kConvexity_SerializationShift) & 0xFF;
2122 fFillType = (packed >> kFillType_SerializationShift) & 0xFF; 2122 fFillType = (packed >> kFillType_SerializationShift) & 0xFF;
2123 fSegmentMask = (packed >> kSegmentMask_SerializationShift) & 0xF; 2123 fSegmentMask = (packed >> kSegmentMask_SerializationShift) & 0xF;
2124 fDirection = (packed >> kDirection_SerializationShift) & 0x3; 2124 fDirection = (packed >> kDirection_SerializationShift) & 0x3;
2125 #ifndef DELETE_THIS_CODE_WHEN_SKPS_ARE_REBUILT_AT_V14_AND_ALL_OTHER_INSTANCES_TO O 2125 #ifndef DELETE_THIS_CODE_WHEN_SKPS_ARE_REBUILT_AT_V14_AND_ALL_OTHER_INSTANCES_TO O
2126 bool newFormat = (packed >> kNewFormat_SerializationShift) & 1; 2126 bool newFormat = (packed >> kNewFormat_SerializationShift) & 1;
2127 #endif 2127 #endif
2128 2128
2129 fPathRef.reset(SkPathRef::CreateFromBuffer(&buffer 2129 fPathRef.reset(SkPathRef::CreateFromBuffer(&buffer
2130 #ifndef DELETE_THIS_CODE_WHEN_SKPS_ARE_REBUILT_AT_V14_AND_ALL_OTHER_INSTANCES_TO O 2130 #ifndef DELETE_THIS_CODE_WHEN_SKPS_ARE_REBUILT_AT_V14_AND_ALL_OTHER_INSTANCES_TO O
2131 , newFormat, packed) 2131 , newFormat, packed
2132 #endif 2132 #endif
2133 ); 2133 ));
2134 2134
2135 buffer.skipToAlign4(); 2135 buffer.skipToAlign4();
2136 2136
2137 GEN_ID_INC; 2137 GEN_ID_INC;
2138 2138
2139 SkDEBUGCODE(this->validate();) 2139 SkDEBUGCODE(this->validate();)
2140 return SkToU32(buffer.pos()); 2140 return buffer.isValid() ? SkToU32(buffer.pos()) : 0;
2141 } 2141 }
2142 2142
2143 /////////////////////////////////////////////////////////////////////////////// 2143 ///////////////////////////////////////////////////////////////////////////////
2144 2144
2145 #include "SkString.h" 2145 #include "SkString.h"
2146 2146
2147 static void append_scalar(SkString* str, SkScalar value) { 2147 static void append_scalar(SkString* str, SkScalar value) {
2148 SkString tmp; 2148 SkString tmp;
2149 tmp.printf("%g", value); 2149 tmp.printf("%g", value);
2150 if (tmp.contains('.')) { 2150 if (tmp.contains('.')) {
(...skipping 851 matching lines...) Expand 10 before | Expand all | Expand 10 after
3002 switch (this->getFillType()) { 3002 switch (this->getFillType()) {
3003 case SkPath::kEvenOdd_FillType: 3003 case SkPath::kEvenOdd_FillType:
3004 case SkPath::kInverseEvenOdd_FillType: 3004 case SkPath::kInverseEvenOdd_FillType:
3005 w &= 1; 3005 w &= 1;
3006 break; 3006 break;
3007 default: 3007 default:
3008 break; 3008 break;
3009 } 3009 }
3010 return SkToBool(w); 3010 return SkToBool(w);
3011 } 3011 }
OLDNEW
« include/core/SkWriter32.h ('K') | « src/core/SkMatrix.cpp ('k') | src/core/SkRegion.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698