Check the length of marker before reading it
Bug: os-fuzz:6295
Change-Id: I0ea9a3c54d61d41f21f2e9b945ab83fa2beb00d8
Reviewed-on: https://skia-review.googlesource.com/107025
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Leon Scroggins <scroggo@google.com>
diff --git a/resources/invalid_images/osfuzz6295.webp b/resources/invalid_images/osfuzz6295.webp
new file mode 100644
index 0000000..bb20aba
--- /dev/null
+++ b/resources/invalid_images/osfuzz6295.webp
Binary files differ
diff --git a/src/codec/SkJpegCodec.cpp b/src/codec/SkJpegCodec.cpp
index d2c023b..4f48886 100644
--- a/src/codec/SkJpegCodec.cpp
+++ b/src/codec/SkJpegCodec.cpp
@@ -62,7 +62,8 @@
bool is_orientation_marker(const uint8_t* data, size_t data_length, SkEncodedOrigin* orientation) {
bool littleEndian;
- if (!is_valid_endian_marker(data, &littleEndian)) {
+ // We need eight bytes to read the endian marker and the offset, below.
+ if (data_length < 8 || !is_valid_endian_marker(data, &littleEndian)) {
return false;
}
diff --git a/tests/CodecTest.cpp b/tests/CodecTest.cpp
index df94547..8172751 100644
--- a/tests/CodecTest.cpp
+++ b/tests/CodecTest.cpp
@@ -621,14 +621,20 @@
}
static void test_invalid(skiatest::Reporter* r, const char path[]) {
- std::unique_ptr<SkStream> stream(GetResourceAsStream(path));
- if (!stream) {
+ auto data = GetResourceAsData(path);
+ if (!data) {
+ ERRORF(r, "Failed to get resources %s", path);
return;
}
- REPORTER_ASSERT(r, !SkCodec::MakeFromStream(std::move(stream)));
+
+ REPORTER_ASSERT(r, !SkCodec::MakeFromData(data));
}
DEF_TEST(Codec_Empty, r) {
+ if (GetResourcePath().isEmpty()) {
+ return;
+ }
+
// Test images that should not be able to create a codec
test_invalid(r, "empty_images/zero-dims.gif");
test_invalid(r, "empty_images/zero-embedded.ico");
@@ -648,6 +654,7 @@
test_invalid(r, "empty_images/zero_height.tiff");
#endif
test_invalid(r, "invalid_images/b37623797.ico");
+ test_invalid(r, "invalid_images/osfuzz6295.webp");
}
#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
