Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/core/SkValidatingReadBuffer.cpp

Issue 41253002: Checking structure sizes before reading them from memory to avoid overflowing the buffer's stream. (Closed) Base URL: https://skia.googlecode.com/svn/trunk
Patch Set: Fixed comments and added tests Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« include/core/SkReader32.h ('K') | « src/core/SkRegion.cpp ('k') | tests/MatrixTest.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright 2013 Google Inc. 2 * Copyright 2013 Google Inc.
3 * 3 *
4 * Use of this source code is governed by a BSD-style license that can be 4 * Use of this source code is governed by a BSD-style license that can be
5 * found in the LICENSE file. 5 * found in the LICENSE file.
6 */ 6 */
7 7
8 #include "SkBitmap.h" 8 #include "SkBitmap.h"
9 #include "SkErrorInternals.h" 9 #include "SkErrorInternals.h"
10 #include "SkValidatingReadBuffer.h" 10 #include "SkValidatingReadBuffer.h"
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after
105 } 105 }
106 return data; 106 return data;
107 } 107 }
108 108
109 void SkValidatingReadBuffer::readPoint(SkPoint* point) { 109 void SkValidatingReadBuffer::readPoint(SkPoint* point) {
110 point->fX = fReader.readScalar(); 110 point->fX = fReader.readScalar();
111 point->fY = fReader.readScalar(); 111 point->fY = fReader.readScalar();
112 } 112 }
113 113
114 void SkValidatingReadBuffer::readMatrix(SkMatrix* matrix) { 114 void SkValidatingReadBuffer::readMatrix(SkMatrix* matrix) {
115 const size_t size = matrix->readFromMemory(fReader.peek()); 115 const size_t size = matrix->readFromMemory(fReader.peek(), fReader.available ());
116 fError = fError || (SkAlign4(size) != size); 116 fError = fError || (SkAlign4(size) != size) || (0 == size);
117 if (!fError) { 117 if (!fError) {
118 (void)this->skip(size); 118 (void)this->skip(size);
119 } 119 }
120 } 120 }
121 121
122 void SkValidatingReadBuffer::readIRect(SkIRect* rect) { 122 void SkValidatingReadBuffer::readIRect(SkIRect* rect) {
123 const void* ptr = this->skip(sizeof(SkIRect)); 123 const void* ptr = this->skip(sizeof(SkIRect));
124 if (!fError) { 124 if (!fError) {
125 memcpy(rect, ptr, sizeof(SkIRect)); 125 memcpy(rect, ptr, sizeof(SkIRect));
126 } 126 }
127 } 127 }
128 128
129 void SkValidatingReadBuffer::readRect(SkRect* rect) { 129 void SkValidatingReadBuffer::readRect(SkRect* rect) {
130 const void* ptr = this->skip(sizeof(SkRect)); 130 const void* ptr = this->skip(sizeof(SkRect));
131 if (!fError) { 131 if (!fError) {
132 memcpy(rect, ptr, sizeof(SkRect)); 132 memcpy(rect, ptr, sizeof(SkRect));
133 } 133 }
134 } 134 }
135 135
136 void SkValidatingReadBuffer::readRegion(SkRegion* region) { 136 void SkValidatingReadBuffer::readRegion(SkRegion* region) {
137 const size_t size = region->readFromMemory(fReader.peek()); 137 const size_t size = region->readFromMemory(fReader.peek(), fReader.available ());
138 fError = fError || (SkAlign4(size) != size); 138 fError = fError || (SkAlign4(size) != size) || (0 == size);
139 if (!fError) { 139 if (!fError) {
140 (void)this->skip(size); 140 (void)this->skip(size);
141 } 141 }
142 } 142 }
143 143
144 void SkValidatingReadBuffer::readPath(SkPath* path) { 144 void SkValidatingReadBuffer::readPath(SkPath* path) {
145 const size_t size = path->readFromMemory(fReader.peek()); 145 const size_t size = path->readFromMemory(fReader.peek(), fReader.available() );
146 fError = fError || (SkAlign4(size) != size); 146 fError = fError || (SkAlign4(size) != size) || (0 == size);
147 if (!fError) { 147 if (!fError) {
148 (void)this->skip(size); 148 (void)this->skip(size);
149 } 149 }
150 } 150 }
151 151
152 uint32_t SkValidatingReadBuffer::readByteArray(void* value) { 152 uint32_t SkValidatingReadBuffer::readByteArray(void* value) {
153 const uint32_t length = this->readUInt(); 153 const uint32_t length = this->readUInt();
154 const void* ptr = this->skip(SkAlign4(length)); 154 const void* ptr = this->skip(SkAlign4(length));
155 if (!fError) { 155 if (!fError) {
156 memcpy(value, ptr, length); 156 memcpy(value, ptr, length);
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after
197 const uint32_t byteLength = count * sizeof(SkScalar); 197 const uint32_t byteLength = count * sizeof(SkScalar);
198 const void* ptr = this->skip(SkAlign4(byteLength)); 198 const void* ptr = this->skip(SkAlign4(byteLength));
199 if (!fError) { 199 if (!fError) {
200 memcpy(values, ptr, byteLength); 200 memcpy(values, ptr, byteLength);
201 return count; 201 return count;
202 } 202 }
203 return 0; 203 return 0;
204 } 204 }
205 205
206 uint32_t SkValidatingReadBuffer::getArrayCount() { 206 uint32_t SkValidatingReadBuffer::getArrayCount() {
207 const size_t inc = sizeof(uint32_t);
208 fError = fError || !IsPtrAlign4(fReader.peek()) || !fReader.isAvailable(inc) ;
207 return *(uint32_t*)fReader.peek(); 209 return *(uint32_t*)fReader.peek();
208 } 210 }
209 211
210 void SkValidatingReadBuffer::readBitmap(SkBitmap* bitmap) { 212 void SkValidatingReadBuffer::readBitmap(SkBitmap* bitmap) {
211 const int width = this->readInt(); 213 const int width = this->readInt();
212 const int height = this->readInt(); 214 const int height = this->readInt();
213 const size_t length = this->readUInt(); 215 const size_t length = this->readUInt();
214 // A size of zero means the SkBitmap was simply flattened. 216 // A size of zero means the SkBitmap was simply flattened.
215 fError = fError || (length != 0); 217 fError = fError || (length != 0);
216 if (fError) { 218 if (fError) {
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after
254 delete obj; 256 delete obj;
255 obj = NULL; 257 obj = NULL;
256 } 258 }
257 } else { 259 } else {
258 // we must skip the remaining data 260 // we must skip the remaining data
259 this->skip(sizeRecorded); 261 this->skip(sizeRecorded);
260 SkASSERT(false); 262 SkASSERT(false);
261 } 263 }
262 return obj; 264 return obj;
263 } 265 }
OLDNEW
« include/core/SkReader32.h ('K') | « src/core/SkRegion.cpp ('k') | tests/MatrixTest.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698