Harden size check during textblob deserialization Check the text size read from a buffer should not exceed the size of the input buffer. This is to avoid memory allocation errors such as out of memory. BUG=chromium:809200 Change-Id: I47824f6e8122bd550ee97ac83e2251b7725865e7 Reviewed-on: https://skia-review.googlesource.com/113289 Reviewed-by: Florin Malita <fmalita@chromium.org> Commit-Queue: Florin Malita <fmalita@chromium.org>

commit: dc0b12ec7a2de9ae4836f90c66b4f8ff3558f0ba [log] [tgz]
author: Wei Li <weili@chromium.org> Thu Mar 08 14:33:52 2018 -0800
committer: Skia Commit-Bot <skia-commit-bot@chromium.org> Fri Mar 09 00:27:51 2018 +0000
tree: 1bccd8da2852b0f2f942fc04e36f9799ac4df85d
parent: ff6b4c59f24d70d939efb57f6638f29ad9e9d690 [diff]
diff --git a/src/core/SkTextBlob.cpp b/src/core/SkTextBlob.cpp
index f686f29..182cf72 100644
--- a/src/core/SkTextBlob.cpp
+++ b/src/core/SkTextBlob.cpp

@@ -809,7 +809,7 @@
             return nullptr;
         }
         int textSize = pe.extended ? reader.read32() : 0;
-        if (textSize < 0) {
+        if (textSize < 0 || static_cast<size_t>(textSize) > reader.size()) {
             return nullptr;
         }
commit	dc0b12ec7a2de9ae4836f90c66b4f8ff3558f0ba	[log] [tgz]
author	Wei Li <weili@chromium.org>	Thu Mar 08 14:33:52 2018 -0800
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>	Fri Mar 09 00:27:51 2018 +0000
tree	1bccd8da2852b0f2f942fc04e36f9799ac4df85d
parent	ff6b4c59f24d70d939efb57f6638f29ad9e9d690 [diff]