Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / chromium_org / third_party / skia / 4faa869cdabbdcf4867118b4a1272296baaeeb52^! / . / src / core / SkValidatingReadBuffer.cpp
commit4faa869cdabbdcf4867118b4a1272296baaeeb52[log] [tgz]
authorcommit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81>Tue Nov 05 15:46:56 2013 +0000
committercommit-bot@chromium.org <commit-bot@chromium.org@2bbb7eff-a529-9590-31e7-b0007b416f81>Tue Nov 05 15:46:56 2013 +0000
tree98283bc90add39d00d98ac4dfde9af051816637a
parentfedf13d73a6d6f1921ce5f449bb6e34e9d8e14e4 [diff] [blame]
Checking structure sizes before reading them from memory to avoid overflowing the buffer's stream.

BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org

Committed: https://code.google.com/p/skia/source/detail?r=12114

Committed: https://code.google.com/p/skia/source/detail?r=12119

Author: sugoi@chromium.org

Review URL: https://codereview.chromium.org/41253002

git-svn-id: http://skia.googlecode.com/svn/trunk@12130 2bbb7eff-a529-9590-31e7-b0007b416f81

diff --git a/src/core/SkValidatingReadBuffer.cpp b/src/core/SkValidatingReadBuffer.cpp
index 9f094f9..3084565 100644
--- a/src/core/SkValidatingReadBuffer.cpp
+++ b/src/core/SkValidatingReadBuffer.cpp

@@ -118,8 +118,11 @@
 }
 
 void SkValidatingReadBuffer::readMatrix(SkMatrix* matrix) {
-    const size_t size = matrix->readFromMemory(fReader.peek());
-    this->validate(SkAlign4(size) == size);
+    size_t size = 0;
+    if (!fError) {
+        size = matrix->readFromMemory(fReader.peek(), fReader.available());
+        this->validate((SkAlign4(size) != size) || (0 == size));
+    }
     if (!fError) {
         (void)this->skip(size);
     }
@@ -140,16 +143,22 @@
 }
 
 void SkValidatingReadBuffer::readRegion(SkRegion* region) {
-    const size_t size = region->readFromMemory(fReader.peek());
-    this->validate(SkAlign4(size) == size);
+    size_t size = 0;
+    if (!fError) {
+        size = region->readFromMemory(fReader.peek(), fReader.available());
+        this->validate((SkAlign4(size) != size) || (0 == size));
+    }
     if (!fError) {
         (void)this->skip(size);
     }
 }
 
 void SkValidatingReadBuffer::readPath(SkPath* path) {
-    const size_t size = path->readFromMemory(fReader.peek());
-    this->validate(SkAlign4(size) == size);
+    size_t size = 0;
+    if (!fError) {
+        size = path->readFromMemory(fReader.peek(), fReader.available());
+        this->validate((SkAlign4(size) != size) || (0 == size));
+    }
     if (!fError) {
         (void)this->skip(size);
     }
@@ -189,6 +198,8 @@
 }
 
 uint32_t SkValidatingReadBuffer::getArrayCount() {
+    const size_t inc = sizeof(uint32_t);
+    fError = fError || !IsPtrAlign4(fReader.peek()) || !fReader.isAvailable(inc);
     return *(uint32_t*)fReader.peek();
 }