Fix SkDashImpl::CreateProc OOM on garbage input Verify that there's enough data to read from before allocating gigantic blocks of memory. This was caught by a fuzzer. Bug: chromium:835418 Change-Id: I43fb1d11ec13726aacb62fe6aeb9f137424fb783 Reviewed-on: https://skia-review.googlesource.com/123538 Commit-Queue: Mike Klein <mtklein@google.com> Auto-Submit: Adrienne Walker <enne@chromium.org> Reviewed-by: Mike Klein <mtklein@google.com>

commit: 77e95f7067e3bbb4234965c8413f6f86e345bca6 [log] [tgz]
author: Adrienne Walker <enne@chromium.org> Tue Apr 24 16:41:41 2018 -0700
committer: Skia Commit-Bot <skia-commit-bot@chromium.org> Wed Apr 25 13:23:36 2018 +0000
tree: 87397beeb8ae00f6245f1c834806a45b1a3bd819
parent: ec4e7358ba6d5d68c32f0cdacfba454957960841 [diff] [blame]
diff --git a/src/effects/SkDashPathEffect.cpp b/src/effects/SkDashPathEffect.cpp
index cced73f..4cb98b3 100644
--- a/src/effects/SkDashPathEffect.cpp
+++ b/src/effects/SkDashPathEffect.cpp

@@ -367,6 +367,12 @@
 sk_sp<SkFlattenable> SkDashImpl::CreateProc(SkReadBuffer& buffer) {
     const SkScalar phase = buffer.readScalar();
     uint32_t count = buffer.getArrayCount();
+
+    // Don't allocate gigantic buffers if there's not data for them.
+    if (count > buffer.size() / sizeof(SkScalar)) {
+        return nullptr;
+    }
+
     SkAutoSTArray<32, SkScalar> intervals(count);
     if (buffer.readScalarArray(intervals.get(), count)) {
         return SkDashPathEffect::Make(intervals.get(), SkToInt(count), phase);
commit	77e95f7067e3bbb4234965c8413f6f86e345bca6	[log] [tgz]
author	Adrienne Walker <enne@chromium.org>	Tue Apr 24 16:41:41 2018 -0700
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>	Wed Apr 25 13:23:36 2018 +0000
tree	87397beeb8ae00f6245f1c834806a45b1a3bd819
parent	ec4e7358ba6d5d68c32f0cdacfba454957960841 [diff] [blame]