Return nullptr when ReadBuffer becomes invalid
This especially helps in SkDrawLooper because we can bail out early
instead of looping for a potentially long time, e.g. when fuzzed
input says count is a large number.
This also cleans up validate in a few spots, and adds validateCanReadN
as a helper function.
Bug: skia:7937
Change-Id: Ic5eff357c8cadc91eeafc6e39c78c570ba74df2f
Reviewed-on: https://skia-review.googlesource.com/128847
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Mike Klein <mtklein@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
Reviewed-by: Florin Malita <fmalita@chromium.org>
diff --git a/src/shaders/gradients/SkGradientShader.cpp b/src/shaders/gradients/SkGradientShader.cpp
index 60e9f2a..78f514c 100644
--- a/src/shaders/gradients/SkGradientShader.cpp
+++ b/src/shaders/gradients/SkGradientShader.cpp
@@ -17,7 +17,6 @@
#include "SkMallocPixelRef.h"
#include "SkRadialGradient.h"
#include "SkReadBuffer.h"
-#include "SkSafeMath.h"
#include "SkSweepGradient.h"
#include "SkTwoPointConicalGradient.h"
#include "SkWriteBuffer.h"
@@ -74,10 +73,7 @@
template <int N, typename T, bool MEM_MOVE>
static bool validate_array(SkReadBuffer& buffer, size_t count, SkSTArray<N, T, MEM_MOVE>* array) {
- SkSafeMath safe;
- const auto expectedSize = safe.mul(sizeof(T), count);
-
- if (!buffer.validate(safe && expectedSize <= buffer.available())) {
+ if (!buffer.validateCanReadN<T>(count)) {
return false;
}
diff --git a/src/shaders/gradients/SkTwoPointConicalGradient.cpp b/src/shaders/gradients/SkTwoPointConicalGradient.cpp
index d98f4bc..73ec3f2 100644
--- a/src/shaders/gradients/SkTwoPointConicalGradient.cpp
+++ b/src/shaders/gradients/SkTwoPointConicalGradient.cpp
@@ -156,7 +156,9 @@
}
}
}
-
+ if (!buffer.isValid()) {
+ return nullptr;
+ }
return SkGradientShader::MakeTwoPointConical(c1, r1, c2, r2, desc.fColors,
std::move(desc.fColorSpace), desc.fPos,
desc.fCount, desc.fTileMode, desc.fGradFlags,