commit 12a4dc985b894083a9130d8f5770e67656418b52
author Leon Scroggins III <scroggo@google.com> Mon Jun 05 14:06:57 2017 -0400
committer Skia Commit-Bot <skia-commit-bot@chromium.org> Mon Jun 05 18:28:19 2017 +0000
tree d77c1072b80bea391d7a81ebe899bb3cd9dbc1aa
parent 094dcc51c184f0c85a013fd2a3f08edc08cb5cd0

Defend against ICOs with large BMPs embedded

If the ICO reports that it has a large BMP file embedded, do not
crash if we attempt to allocate too much memory.

Bug: b/38116746
Change-Id: I70eb66f5e4ffc15587007b398bbe843665eae500
Reviewed-on: https://skia-review.googlesource.com/18447
Reviewed-by: Matt Sarett <msarett@google.com>
Commit-Queue: Leon Scroggins <scroggo@google.com>

src/codec/SkIcoCodec.cpp

diff --git a/src/codec/SkIcoCodec.cpp b/src/codec/SkIcoCodec.cpp
index 9ea092e..9d424f3 100644
--- a/src/codec/SkIcoCodec.cpp
+++ b/src/codec/SkIcoCodec.cpp
@@ -128,11 +128,18 @@
         bytesRead = offset;
 
         // Create a new stream for the embedded codec
-        sk_sp<SkData> data(SkData::MakeFromStream(inputStream.get(), size));
-        if (nullptr == data.get()) {
+        SkAutoFree buffer(sk_malloc_flags(size, 0));
+        if (!buffer) {
+            SkCodecPrintf("Warning: OOM trying to create embedded stream.\n");
+            break;
+        }
+
+        if (inputStream->read(buffer.get(), size) != size) {
             SkCodecPrintf("Warning: could not create embedded stream.\n");
             break;
         }
+
+        sk_sp<SkData> data(SkData::MakeFromMalloc(buffer.release(), size));
         std::unique_ptr<SkMemoryStream> embeddedStream(new SkMemoryStream(data));
         bytesRead += size;