src/core/SkRegion.cpp - Issue 41253002: Checking structure sizes before reading them from memory to avoid overflowing the buffer's stream.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/core/SkRegion.cpp

Issue 41253002: Checking structure sizes before reading them from memory to avoid overflowing the buffer's stream. (Closed) Base URL: https://skia.googlecode.com/svn/trunk

Patch Set: Created 7 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/core/SkRegion.cpp

diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp

index 02994bffb0e96d50b64c204315673d024f018528..ff2ef95eb82f819dd0f0122c408d6e4d9700adcf 100644

--- a/src/core/SkRegion.cpp

+++ b/src/core/SkRegion.cpp

@@ -8,6 +8,7 @@

#include "SkRegionPriv.h"

+#include "SkFlattenableBuffers.h"

#include "SkTemplates.h"

#include "SkThread.h"

#include "SkUtils.h"

@@ -1100,17 +1101,35 @@ bool SkRegion::op(const SkRegion& rgna, const SkRegion& rgnb, Op op) {

#include "SkBuffer.h"

+uint32_t SkRegion::sizeInMemory() const {

+ uint32_t size = sizeof(int32_t); // -1 (empty), 0 (rect), runCount

+ if (!this->isEmpty()) {

+ size += sizeof(fBounds);

+ if (this->isComplex()) {

+ size += 2 * sizeof(int32_t); // ySpanCount + intervalCount

+ size += fRunHead->fRunCount * sizeof(RunType);

+ }

+ return size;

+uint32_t SkRegion::SizeToRead(SkFlattenableReadBuffer& buffer) {

+ uint32_t size = sizeof(int32_t);

+ uint32_t ucount = buffer.getArrayCount();

+ int32_t count = *(int32_t*)ucount; // -1 (empty), 0 (rect), runCount

+ if (count >= 0) {

+ size += sizeof(SkIRect); // fBounds

+ if (count > 0) {

+ size += 2 * sizeof(int32_t); // ySpanCount + intervalCount

+ size += count * sizeof(RunType);

+ }

+ return size;

uint32_t SkRegion::writeToMemory(void* storage) const {

if (NULL == storage) {

- uint32_t size = sizeof(int32_t); // -1 (empty), 0 (rect), runCount

- if (!this->isEmpty()) {

- size += sizeof(fBounds);

- if (this->isComplex()) {

- size += 2 * sizeof(int32_t); // ySpanCount + intervalCount

- size += fRunHead->fRunCount * sizeof(RunType);

- }

- return size;

+ return sizeInMemory();

}

SkWBuffer buffer(storage);

@@ -1130,7 +1149,9 @@ uint32_t SkRegion::writeToMemory(void* storage) const {

fRunHead->fRunCount * sizeof(RunType));

}

- return buffer.pos();

+ uint32_t writeSize = SkToU32(buffer.pos());

+ SkASSERT(sizeInMemory() == writeSize);

+ return writeSize;

}

uint32_t SkRegion::readFromMemory(const void* storage) {

@@ -1151,7 +1172,9 @@ uint32_t SkRegion::readFromMemory(const void* storage) {

}

this->swap(tmp);

- return buffer.pos();

+ uint32_t readSize = SkToU32(buffer.pos());

+ SkASSERT(sizeInMemory() == readSize);

+ return readSize;

}

///////////////////////////////////////////////////////////////////////////////

« src/core/SkPathRef.cpp ('K') | « src/core/SkPathRef.cpp ('k') | src/core/SkValidatingReadBuffer.cpp » ('j') | no next file with comments »