Checking structure sizes before reading them from memory to avoid overflowing the buffer's stream.

src/core/SkPath.cpp

 
 /*
  * Copyright 2006 The Android Open Source Project
  *
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 
 #include "SkBuffer.h"
@@ skipping 2068 matching lines @@
     fPts = srcPts;
     return (Verb)verb;
 }
 
 ///////////////////////////////////////////////////////////////////////////////
 
 /*
     Format in compressed buffer: [ptCount, verbCount, pts[], verbs[]]
 */
 
-uint32_t SkPath::writeToMemory(void* storage) const {
+size_t SkPath::writeToMemory(void* storage) const {
     SkDEBUGCODE(this->validate();)
 
     if (NULL == storage) {
         const int byteCount = sizeof(int32_t) + fPathRef->writeSize();
         return SkAlign4(byteCount);
     }
 
     SkWBuffer   buffer(storage);
 
     int32_t packed = ((fIsOval & 1) << kIsOval_SerializationShift) |
                      (fConvexity << kConvexity_SerializationShift) |
                      (fFillType << kFillType_SerializationShift) |
                      (fSegmentMask << kSegmentMask_SerializationShift) |
                      (fDirection << kDirection_SerializationShift)
 #ifndef DELETE_THIS_CODE_WHEN_SKPS_ARE_REBUILT_AT_V14_AND_ALL_OTHER_INSTANCES_TOO
                      | (0x1 << kNewFormat_SerializationShift);
 #endif
 
     buffer.write32(packed);
 
     fPathRef->writeToBuffer(&buffer);
 
     buffer.padToAlign4();
-    return SkToU32(buffer.pos());
+    return buffer.pos();
 }
 
-uint32_t SkPath::readFromMemory(const void* storage) {
-    SkRBuffer   buffer(storage);
+size_t SkPath::readFromMemory(const void* storage, size_t length) {
+    SkRBufferWithSizeCheck buffer(storage, length);
 
     uint32_t packed = buffer.readS32();
     fIsOval = (packed >> kIsOval_SerializationShift) & 1;
     fConvexity = (packed >> kConvexity_SerializationShift) & 0xFF;
     fFillType = (packed >> kFillType_SerializationShift) & 0xFF;
     fSegmentMask = (packed >> kSegmentMask_SerializationShift) & 0xF;
     fDirection = (packed >> kDirection_SerializationShift) & 0x3;
 #ifndef DELETE_THIS_CODE_WHEN_SKPS_ARE_REBUILT_AT_V14_AND_ALL_OTHER_INSTANCES_TOO
     bool newFormat = (packed >> kNewFormat_SerializationShift) & 1;
 #endif
 
     fPathRef.reset(SkPathRef::CreateFromBuffer(&buffer
 #ifndef DELETE_THIS_CODE_WHEN_SKPS_ARE_REBUILT_AT_V14_AND_ALL_OTHER_INSTANCES_TOO
-        , newFormat, packed)
+        , newFormat, packed
 #endif
-        );
+        ));
 
     buffer.skipToAlign4();
 
     GEN_ID_INC;
 
     SkDEBUGCODE(this->validate();)
-    return SkToU32(buffer.pos());
+    return buffer.isValid() ? buffer.pos() : 0;
 }
 
 ///////////////////////////////////////////////////////////////////////////////
 
 #include "SkString.h"
 
 static void append_scalar(SkString* str, SkScalar value) {
     SkString tmp;
     tmp.printf("%g", value);
     if (tmp.contains('.')) {
@@ skipping 851 matching lines @@
     switch (this->getFillType()) {
         case SkPath::kEvenOdd_FillType:
         case SkPath::kInverseEvenOdd_FillType:
             w &= 1;
             break;
         default:
             break;
     }
     return SkToBool(w);
 }