Add tests (and fix!) for known bad ICO files.
We previously saw crashes decoding bad ICO files. Add tests for
known bad files.
While testing, I learned that one of them still crashes. Check for
large offset and size separately to fix the crash.
BUG=skia:2878
Review URL: https://codereview.chromium.org/712123002
diff --git a/gyp/tests.gypi b/gyp/tests.gypi
index 4bdea1e..fccbd1c 100644
--- a/gyp/tests.gypi
+++ b/gyp/tests.gypi
@@ -49,6 +49,7 @@
'../tests/AnnotationTest.cpp',
'../tests/AsADashTest.cpp',
'../tests/AtomicTest.cpp',
+ '../tests/BadIcoTest.cpp',
'../tests/BitSetTest.cpp',
'../tests/BitmapCopyTest.cpp',
'../tests/BitmapGetColorTest.cpp',
diff --git a/resources/invalid_images/sigabort_favicon.ico b/resources/invalid_images/sigabort_favicon.ico
new file mode 100644
index 0000000..527d657
--- /dev/null
+++ b/resources/invalid_images/sigabort_favicon.ico
Binary files differ
diff --git a/resources/invalid_images/sigsegv_favicon.ico b/resources/invalid_images/sigsegv_favicon.ico
new file mode 100644
index 0000000..f488a24
--- /dev/null
+++ b/resources/invalid_images/sigsegv_favicon.ico
Binary files differ
diff --git a/resources/invalid_images/sigsegv_favicon_2.ico b/resources/invalid_images/sigsegv_favicon_2.ico
new file mode 100644
index 0000000..49730df
--- /dev/null
+++ b/resources/invalid_images/sigsegv_favicon_2.ico
Binary files differ
diff --git a/src/images/SkImageDecoder_libico.cpp b/src/images/SkImageDecoder_libico.cpp
index cd8a292..5240d09 100644
--- a/src/images/SkImageDecoder_libico.cpp
+++ b/src/images/SkImageDecoder_libico.cpp
@@ -159,7 +159,7 @@
const size_t size = read4Bytes(buf, 14 + choice*16); //matters?
const size_t offset = read4Bytes(buf, 18 + choice*16);
// promote the sum to 64-bits to avoid overflow
- if (((uint64_t)offset + size) > length) {
+ if (offset > length || size > length || ((uint64_t)offset + size) > length) {
return kFailure;
}
diff --git a/tests/BadIcoTest.cpp b/tests/BadIcoTest.cpp
new file mode 100644
index 0000000..566f3d6
--- /dev/null
+++ b/tests/BadIcoTest.cpp
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2014 Google Inc.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "Resources.h"
+#include "Test.h"
+#include "SkBitmap.h"
+#include "SkImageDecoder.h"
+#include "SkOSFile.h"
+
+DEF_TEST(BadIco, reporter) {
+ const char* const badIcos [] = {
+ "sigabort_favicon.ico",
+ "sigsegv_favicon.ico",
+ "sigsegv_favicon_2.ico",
+ };
+
+ const char* badIcoFolder = "invalid_images";
+
+ SkString resourcePath = GetResourcePath(badIcoFolder);
+
+ SkBitmap bm;
+ for (size_t i = 0; i < SK_ARRAY_COUNT(badIcos); ++i) {
+ SkString fullPath = SkOSPath::Join(resourcePath.c_str(), badIcos[i]);
+ bool success = SkImageDecoder::DecodeFile(fullPath.c_str(), &bm);
+ // These files are invalid, and should not decode. More importantly,
+ // though, we reached here without crashing.
+ REPORTER_ASSERT(reporter, !success);
+ }
+}