Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(333)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/core/SkValidatingReadBuffer.cpp

Issue 41253002: Checking structure sizes before reading them from memory to avoid overflowing the buffer's stream. (Closed) Base URL: https://skia.googlecode.com/svn/trunk
Patch Set: Removing SkMatrix's writeToMemory, readFromMemory Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« include/core/SkWriter32.h ('K') | « src/core/SkRegion.cpp ('k') | src/pipe/SkGPipeWrite.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright 2013 Google Inc. 2 * Copyright 2013 Google Inc.
3 * 3 *
4 * Use of this source code is governed by a BSD-style license that can be 4 * Use of this source code is governed by a BSD-style license that can be
5 * found in the LICENSE file. 5 * found in the LICENSE file.
6 */ 6 */
7 7
8 #include "SkBitmap.h" 8 #include "SkBitmap.h"
9 #include "SkErrorInternals.h" 9 #include "SkErrorInternals.h"
10 #include "SkValidatingReadBuffer.h" 10 #include "SkValidatingReadBuffer.h"
(...skipping 95 matching lines...) Expand 10 before | Expand all | Expand 10 after
106 } 106 }
107 return data; 107 return data;
108 } 108 }
109 109
110 void SkValidatingReadBuffer::readPoint(SkPoint* point) { 110 void SkValidatingReadBuffer::readPoint(SkPoint* point) {
111 point->fX = fReader.readScalar(); 111 point->fX = fReader.readScalar();
112 point->fY = fReader.readScalar(); 112 point->fY = fReader.readScalar();
113 } 113 }
114 114
115 void SkValidatingReadBuffer::readMatrix(SkMatrix* matrix) { 115 void SkValidatingReadBuffer::readMatrix(SkMatrix* matrix) {
116 const size_t size = matrix->readFromMemory(fReader.peek()); 116 matrix->setAll(this->readScalar(), this->readScalar(), this->readScalar(),
117 fError = fError || (SkAlign4(size) != size); 117 this->readScalar(), this->readScalar(), this->readScalar(),
118 if (!fError) { 118 this->readScalar(), this->readScalar(), this->readScalar());
119 (void)this->skip(size);
120 }
121 } 119 }
122 120
123 void SkValidatingReadBuffer::readIRect(SkIRect* rect) { 121 void SkValidatingReadBuffer::readIRect(SkIRect* rect) {
124 const void* ptr = this->skip(sizeof(SkIRect)); 122 const void* ptr = this->skip(sizeof(SkIRect));
125 if (!fError) { 123 if (!fError) {
126 memcpy(rect, ptr, sizeof(SkIRect)); 124 memcpy(rect, ptr, sizeof(SkIRect));
127 } 125 }
128 } 126 }
129 127
130 void SkValidatingReadBuffer::readRect(SkRect* rect) { 128 void SkValidatingReadBuffer::readRect(SkRect* rect) {
131 const void* ptr = this->skip(sizeof(SkRect)); 129 const void* ptr = this->skip(sizeof(SkRect));
132 if (!fError) { 130 if (!fError) {
133 memcpy(rect, ptr, sizeof(SkRect)); 131 memcpy(rect, ptr, sizeof(SkRect));
134 } 132 }
135 } 133 }
136 134
137 void SkValidatingReadBuffer::readRegion(SkRegion* region) { 135 void SkValidatingReadBuffer::readRegion(SkRegion* region) {
138 const size_t size = region->readFromMemory(fReader.peek()); 136 const size_t size = region->readFromMemory(fReader.peek(), fReader.available ());
139 fError = fError || (SkAlign4(size) != size); 137 fError = fError || (SkAlign4(size) != size) || (0 == size);
140 if (!fError) { 138 if (!fError) {
141 (void)this->skip(size); 139 (void)this->skip(size);
142 } 140 }
143 } 141 }
144 142
145 void SkValidatingReadBuffer::readPath(SkPath* path) { 143 void SkValidatingReadBuffer::readPath(SkPath* path) {
146 const size_t size = path->readFromMemory(fReader.peek()); 144 const size_t size = path->readFromMemory(fReader.peek(), fReader.available() );
147 fError = fError || (SkAlign4(size) != size); 145 fError = fError || (SkAlign4(size) != size) || (0 == size);
148 if (!fError) { 146 if (!fError) {
149 (void)this->skip(size); 147 (void)this->skip(size);
150 } 148 }
151 } 149 }
152 150
153 uint32_t SkValidatingReadBuffer::readByteArray(void* value) { 151 uint32_t SkValidatingReadBuffer::readByteArray(void* value) {
154 const uint32_t length = this->readUInt(); 152 const uint32_t length = this->readUInt();
155 const void* ptr = this->skip(SkAlign4(length)); 153 const void* ptr = this->skip(SkAlign4(length));
156 if (!fError) { 154 if (!fError) {
157 memcpy(value, ptr, length); 155 memcpy(value, ptr, length);
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after
198 const uint32_t byteLength = count * sizeof(SkScalar); 196 const uint32_t byteLength = count * sizeof(SkScalar);
199 const void* ptr = this->skip(SkAlign4(byteLength)); 197 const void* ptr = this->skip(SkAlign4(byteLength));
200 if (!fError) { 198 if (!fError) {
201 memcpy(values, ptr, byteLength); 199 memcpy(values, ptr, byteLength);
202 return count; 200 return count;
203 } 201 }
204 return 0; 202 return 0;
205 } 203 }
206 204
207 uint32_t SkValidatingReadBuffer::getArrayCount() { 205 uint32_t SkValidatingReadBuffer::getArrayCount() {
206 const size_t inc = sizeof(uint32_t);
207 fError = fError || !IsPtrAlign4(fReader.peek()) || !fReader.isAvailable(inc) ;
208 return *(uint32_t*)fReader.peek(); 208 return *(uint32_t*)fReader.peek();
209 } 209 }
210 210
211 void SkValidatingReadBuffer::readBitmap(SkBitmap* bitmap) { 211 void SkValidatingReadBuffer::readBitmap(SkBitmap* bitmap) {
212 const int width = this->readInt(); 212 const int width = this->readInt();
213 const int height = this->readInt(); 213 const int height = this->readInt();
214 const size_t length = this->readUInt(); 214 const size_t length = this->readUInt();
215 // A size of zero means the SkBitmap was simply flattened. 215 // A size of zero means the SkBitmap was simply flattened.
216 fError = fError || (length != 0); 216 fError = fError || (length != 0);
217 if (fError) { 217 if (fError) {
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after
255 delete obj; 255 delete obj;
256 obj = NULL; 256 obj = NULL;
257 } 257 }
258 } else { 258 } else {
259 // we must skip the remaining data 259 // we must skip the remaining data
260 this->skip(sizeRecorded); 260 this->skip(sizeRecorded);
261 SkASSERT(false); 261 SkASSERT(false);
262 } 262 }
263 return obj; 263 return obj;
264 } 264 }
OLDNEW
« include/core/SkWriter32.h ('K') | « src/core/SkRegion.cpp ('k') | src/pipe/SkGPipeWrite.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698