Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / skia / 35c64f67235db45be33a8b1e49372f5db86e1e82^! / .
commit35c64f67235db45be33a8b1e49372f5db86e1e82[log] [tgz]
authorHerb Derby <herb@google.com>Wed Dec 18 14:04:37 2019 -0500
committerSkia Commit-Bot <skia-commit-bot@chromium.org>Wed Dec 18 20:16:51 2019 +0000
tree8a15779adab1062d308f34e435edb2933de64bb6
parent60931454f2c3bcc39727e4c6849baf20b6ea13dd [diff]
Only checksum and query a valid descriptor

Bug: oss-fuzz:19549

Change-Id: I941470cfa31c46b3e92cf53877efd2da8d181c01
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/260896
Commit-Queue: Herb Derby <herb@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>

diff --git a/fuzz/FuzzSkDescriptor.cpp b/fuzz/FuzzSkDescriptor.cpp
index 4a68901..4dbc14f 100644
--- a/fuzz/FuzzSkDescriptor.cpp
+++ b/fuzz/FuzzSkDescriptor.cpp

@@ -18,8 +18,10 @@
         return;
     }
 
-    size_t len = SkDescriptor::ComputeOverhead(numEntries);
-    auto desc = SkDescriptor::Alloc(len);
+    size_t overhead = SkDescriptor::ComputeOverhead(numEntries);
+    size_t data;
+    fuzz->nextRange(&data, 0, 500);
+    auto desc = SkDescriptor::Alloc(overhead + data);
     for (int32_t i = 0; i<numEntries && !fuzz->exhausted(); i++) {
         uint32_t tag;
         fuzz->next(&tag);
@@ -36,19 +38,15 @@
         }
 
         uint8_t choice;
-        fuzz->nextRange(&choice, 0, 2);
+        fuzz->nextRange(&choice, 0, 1);
         switch(choice) {
-            case 0: { // use nullptr
-                desc->addEntry(tag, length, nullptr);
-                break;
-            }
-            case 1: { // use SkScalerContextRec
+            case 0: { // use SkScalerContextRec
                 SkScalerContextRec rec;
                 fuzz->next(&rec);
                 desc->addEntry(tag, sizeof(rec), &rec);
                 break;
             }
-            case 2: { // use arbitrary data
+            case 1: { // use arbitrary data
                 if (fuzz->remaining() < length) {
                     // Can't initialize all that we requested, so bail out.
                     return;
@@ -67,12 +65,13 @@
 
     // Exercise the API to make sure we don't step out of bounds, etc.
 
-    desc->computeChecksum();
-    desc->isValid();
+    if (desc->isValid()) {
+        desc->computeChecksum();
 
-    uint32_t tagToFind;
-    fuzz->next(&tagToFind);
+        uint32_t tagToFind;
+        fuzz->next(&tagToFind);
 
-    uint32_t ignore;
-    desc->findEntry(tagToFind, &ignore);
+        uint32_t ignore;
+        desc->findEntry(tagToFind, &ignore);
+    }
 }