2013-10-23 17:06:21 +00:00
|
|
|
/*
|
|
|
|
* Copyright 2013 Google Inc.
|
|
|
|
*
|
|
|
|
* Use of this source code is governed by a BSD-style license that can be
|
|
|
|
* found in the LICENSE file.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "SkBitmap.h"
|
|
|
|
#include "SkErrorInternals.h"
|
|
|
|
#include "SkValidatingReadBuffer.h"
|
|
|
|
#include "SkStream.h"
|
|
|
|
#include "SkTypeface.h"
|
|
|
|
|
2013-10-28 15:52:02 +00:00
|
|
|
SkValidatingReadBuffer::SkValidatingReadBuffer(const void* data, size_t size) :
|
|
|
|
fError(false) {
|
2013-10-23 17:06:21 +00:00
|
|
|
this->setMemory(data, size);
|
2014-01-30 18:58:24 +00:00
|
|
|
this->setFlags(SkReadBuffer::kValidation_Flag);
|
2013-10-23 17:06:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
SkValidatingReadBuffer::~SkValidatingReadBuffer() {
|
|
|
|
}
|
|
|
|
|
2013-11-08 19:22:57 +00:00
|
|
|
bool SkValidatingReadBuffer::validate(bool isValid) {
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
if (!fError && !isValid) {
|
|
|
|
// When an error is found, send the read cursor to the end of the stream
|
|
|
|
fReader.skip(fReader.available());
|
|
|
|
fError = true;
|
|
|
|
}
|
2013-11-08 19:22:57 +00:00
|
|
|
return !fError;
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
}
|
|
|
|
|
2013-12-06 20:14:46 +00:00
|
|
|
bool SkValidatingReadBuffer::isValid() const {
|
|
|
|
return !fError;
|
|
|
|
}
|
|
|
|
|
2013-10-23 17:06:21 +00:00
|
|
|
void SkValidatingReadBuffer::setMemory(const void* data, size_t size) {
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
this->validate(IsPtrAlign4(data) && (SkAlign4(size) == size));
|
2013-10-23 17:06:21 +00:00
|
|
|
if (!fError) {
|
|
|
|
fReader.setMemory(data, size);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
const void* SkValidatingReadBuffer::skip(size_t size) {
|
|
|
|
size_t inc = SkAlign4(size);
|
|
|
|
const void* addr = fReader.peek();
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
this->validate(IsPtrAlign4(addr) && fReader.isAvailable(inc));
|
2013-10-23 17:06:21 +00:00
|
|
|
if (!fError) {
|
|
|
|
fReader.skip(size);
|
|
|
|
}
|
|
|
|
return addr;
|
|
|
|
}
|
|
|
|
|
|
|
|
// All the methods in this file funnel down into either readInt(), readScalar() or skip(),
|
|
|
|
// followed by a memcpy. So we've got all our validation in readInt(), readScalar() and skip();
|
|
|
|
// if they fail they'll return a zero value or skip nothing, respectively, and set fError to
|
|
|
|
// true, which the caller should check to see if an error occurred during the read operation.
|
|
|
|
|
|
|
|
bool SkValidatingReadBuffer::readBool() {
|
2013-10-23 18:33:18 +00:00
|
|
|
uint32_t value = this->readInt();
|
|
|
|
// Boolean value should be either 0 or 1
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
this->validate(!(value & ~1));
|
2013-10-23 18:33:18 +00:00
|
|
|
return value != 0;
|
2013-10-23 17:06:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
SkColor SkValidatingReadBuffer::readColor() {
|
|
|
|
return this->readInt();
|
|
|
|
}
|
|
|
|
|
|
|
|
SkFixed SkValidatingReadBuffer::readFixed() {
|
|
|
|
return this->readInt();
|
|
|
|
}
|
|
|
|
|
|
|
|
int32_t SkValidatingReadBuffer::readInt() {
|
|
|
|
const size_t inc = sizeof(int32_t);
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
this->validate(IsPtrAlign4(fReader.peek()) && fReader.isAvailable(inc));
|
2013-10-23 17:06:21 +00:00
|
|
|
return fError ? 0 : fReader.readInt();
|
|
|
|
}
|
|
|
|
|
|
|
|
SkScalar SkValidatingReadBuffer::readScalar() {
|
|
|
|
const size_t inc = sizeof(SkScalar);
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
this->validate(IsPtrAlign4(fReader.peek()) && fReader.isAvailable(inc));
|
2013-10-23 17:06:21 +00:00
|
|
|
return fError ? 0 : fReader.readScalar();
|
|
|
|
}
|
|
|
|
|
|
|
|
uint32_t SkValidatingReadBuffer::readUInt() {
|
|
|
|
return this->readInt();
|
|
|
|
}
|
|
|
|
|
|
|
|
int32_t SkValidatingReadBuffer::read32() {
|
|
|
|
return this->readInt();
|
|
|
|
}
|
|
|
|
|
|
|
|
void SkValidatingReadBuffer::readString(SkString* string) {
|
|
|
|
const size_t len = this->readInt();
|
|
|
|
const void* ptr = fReader.peek();
|
|
|
|
const char* cptr = (const char*)ptr;
|
|
|
|
|
|
|
|
// skip over the string + '\0' and then pad to a multiple of 4
|
|
|
|
const size_t alignedSize = SkAlign4(len + 1);
|
|
|
|
this->skip(alignedSize);
|
2013-11-22 16:43:14 +00:00
|
|
|
if (!fError) {
|
|
|
|
this->validate(cptr[len] == '\0');
|
|
|
|
}
|
2013-10-23 17:06:21 +00:00
|
|
|
if (!fError) {
|
|
|
|
string->set(cptr, len);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void* SkValidatingReadBuffer::readEncodedString(size_t* length, SkPaint::TextEncoding encoding) {
|
2013-11-22 16:43:14 +00:00
|
|
|
const int32_t encodingType = this->readInt();
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
this->validate(encodingType == encoding);
|
2013-10-23 17:06:21 +00:00
|
|
|
*length = this->readInt();
|
|
|
|
const void* ptr = this->skip(SkAlign4(*length));
|
|
|
|
void* data = NULL;
|
|
|
|
if (!fError) {
|
|
|
|
data = sk_malloc_throw(*length);
|
|
|
|
memcpy(data, ptr, *length);
|
|
|
|
}
|
|
|
|
return data;
|
|
|
|
}
|
|
|
|
|
|
|
|
void SkValidatingReadBuffer::readPoint(SkPoint* point) {
|
2013-11-22 16:43:14 +00:00
|
|
|
point->fX = this->readScalar();
|
|
|
|
point->fY = this->readScalar();
|
2013-10-23 17:06:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void SkValidatingReadBuffer::readMatrix(SkMatrix* matrix) {
|
2013-11-05 15:46:56 +00:00
|
|
|
size_t size = 0;
|
|
|
|
if (!fError) {
|
|
|
|
size = matrix->readFromMemory(fReader.peek(), fReader.available());
|
2013-11-08 19:22:57 +00:00
|
|
|
this->validate((SkAlign4(size) == size) && (0 != size));
|
2013-11-05 15:46:56 +00:00
|
|
|
}
|
2013-10-23 17:06:21 +00:00
|
|
|
if (!fError) {
|
|
|
|
(void)this->skip(size);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void SkValidatingReadBuffer::readIRect(SkIRect* rect) {
|
|
|
|
const void* ptr = this->skip(sizeof(SkIRect));
|
|
|
|
if (!fError) {
|
|
|
|
memcpy(rect, ptr, sizeof(SkIRect));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void SkValidatingReadBuffer::readRect(SkRect* rect) {
|
|
|
|
const void* ptr = this->skip(sizeof(SkRect));
|
|
|
|
if (!fError) {
|
|
|
|
memcpy(rect, ptr, sizeof(SkRect));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void SkValidatingReadBuffer::readRegion(SkRegion* region) {
|
2013-11-05 15:46:56 +00:00
|
|
|
size_t size = 0;
|
|
|
|
if (!fError) {
|
|
|
|
size = region->readFromMemory(fReader.peek(), fReader.available());
|
2013-11-08 19:22:57 +00:00
|
|
|
this->validate((SkAlign4(size) == size) && (0 != size));
|
2013-11-05 15:46:56 +00:00
|
|
|
}
|
2013-10-23 17:06:21 +00:00
|
|
|
if (!fError) {
|
|
|
|
(void)this->skip(size);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void SkValidatingReadBuffer::readPath(SkPath* path) {
|
2013-11-05 15:46:56 +00:00
|
|
|
size_t size = 0;
|
|
|
|
if (!fError) {
|
|
|
|
size = path->readFromMemory(fReader.peek(), fReader.available());
|
2013-11-08 19:22:57 +00:00
|
|
|
this->validate((SkAlign4(size) == size) && (0 != size));
|
2013-11-05 15:46:56 +00:00
|
|
|
}
|
2013-10-23 17:06:21 +00:00
|
|
|
if (!fError) {
|
|
|
|
(void)this->skip(size);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
bool SkValidatingReadBuffer::readArray(void* value, size_t size, size_t elementSize) {
|
|
|
|
const uint32_t count = this->getArrayCount();
|
|
|
|
this->validate(size == count);
|
|
|
|
(void)this->skip(sizeof(uint32_t)); // Skip array count
|
|
|
|
const size_t byteLength = count * elementSize;
|
|
|
|
const void* ptr = this->skip(SkAlign4(byteLength));
|
2013-10-23 17:06:21 +00:00
|
|
|
if (!fError) {
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
memcpy(value, ptr, byteLength);
|
|
|
|
return true;
|
2013-10-23 17:06:21 +00:00
|
|
|
}
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
return false;
|
2013-10-23 17:06:21 +00:00
|
|
|
}
|
|
|
|
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
bool SkValidatingReadBuffer::readByteArray(void* value, size_t size) {
|
|
|
|
return readArray(static_cast<unsigned char*>(value), size, sizeof(unsigned char));
|
2013-10-23 17:06:21 +00:00
|
|
|
}
|
|
|
|
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
bool SkValidatingReadBuffer::readColorArray(SkColor* colors, size_t size) {
|
|
|
|
return readArray(colors, size, sizeof(SkColor));
|
2013-10-23 17:06:21 +00:00
|
|
|
}
|
|
|
|
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
bool SkValidatingReadBuffer::readIntArray(int32_t* values, size_t size) {
|
|
|
|
return readArray(values, size, sizeof(int32_t));
|
2013-10-23 17:06:21 +00:00
|
|
|
}
|
|
|
|
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
bool SkValidatingReadBuffer::readPointArray(SkPoint* points, size_t size) {
|
|
|
|
return readArray(points, size, sizeof(SkPoint));
|
|
|
|
}
|
|
|
|
|
|
|
|
bool SkValidatingReadBuffer::readScalarArray(SkScalar* values, size_t size) {
|
|
|
|
return readArray(values, size, sizeof(SkScalar));
|
2013-10-23 17:06:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
uint32_t SkValidatingReadBuffer::getArrayCount() {
|
2013-11-05 15:46:56 +00:00
|
|
|
const size_t inc = sizeof(uint32_t);
|
|
|
|
fError = fError || !IsPtrAlign4(fReader.peek()) || !fReader.isAvailable(inc);
|
2013-12-02 13:50:38 +00:00
|
|
|
return fError ? 0 : *(uint32_t*)fReader.peek();
|
2013-10-23 17:06:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void SkValidatingReadBuffer::readBitmap(SkBitmap* bitmap) {
|
|
|
|
const int width = this->readInt();
|
|
|
|
const int height = this->readInt();
|
|
|
|
const size_t length = this->readUInt();
|
|
|
|
// A size of zero means the SkBitmap was simply flattened.
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
this->validate(length == 0);
|
2013-10-23 17:06:21 +00:00
|
|
|
if (fError) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
bitmap->unflatten(*this);
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
this->validate((bitmap->width() == width) && (bitmap->height() == height));
|
|
|
|
}
|
|
|
|
|
|
|
|
SkTypeface* SkValidatingReadBuffer::readTypeface() {
|
|
|
|
// TODO: Implement this (securely) when needed
|
|
|
|
return NULL;
|
2013-10-23 17:06:21 +00:00
|
|
|
}
|
|
|
|
|
2013-12-17 20:49:46 +00:00
|
|
|
bool SkValidatingReadBuffer::validateAvailable(size_t size) {
|
|
|
|
return this->validate((size <= SK_MaxU32) && fReader.isAvailable(static_cast<uint32_t>(size)));
|
|
|
|
}
|
|
|
|
|
2013-10-23 17:06:21 +00:00
|
|
|
SkFlattenable* SkValidatingReadBuffer::readFlattenable(SkFlattenable::Type type) {
|
|
|
|
SkString name;
|
|
|
|
this->readString(&name);
|
|
|
|
if (fError) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Is this the type we wanted ?
|
|
|
|
const char* cname = name.c_str();
|
|
|
|
SkFlattenable::Type baseType;
|
|
|
|
if (!SkFlattenable::NameToType(cname, &baseType) || (baseType != type)) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
SkFlattenable::Factory factory = SkFlattenable::NameToFactory(cname);
|
|
|
|
if (NULL == factory) {
|
|
|
|
return NULL; // writer failed to give us the flattenable
|
|
|
|
}
|
|
|
|
|
|
|
|
// if we get here, factory may still be null, but if that is the case, the
|
|
|
|
// failure was ours, not the writer.
|
|
|
|
SkFlattenable* obj = NULL;
|
|
|
|
uint32_t sizeRecorded = this->readUInt();
|
|
|
|
if (factory) {
|
|
|
|
uint32_t offset = fReader.offset();
|
|
|
|
obj = (*factory)(*this);
|
|
|
|
// check that we read the amount we expected
|
|
|
|
uint32_t sizeRead = fReader.offset() - offset;
|
Adding size parameter to read array functions
In some cases, the allocated array into which the data will be read is using getArrayCount() to allocate itself, which should be safe, but some cases use fixed length arrays or compute the array size before reading, which could overflow if the stream is compromised.
To prevent that from happening, I added a check that will verify that the number of bytes to read will not exceed the capacity of the input buffer argument passed to all the read...Array() functions.
I chose to use the byte array for this initial version, so that "size" represents the same value across all read...Array() functions, but I could also use the element count, if it is preferred.
Note : readPointArray and writePointArray are unused, so I could also remove them
BUG=
R=reed@google.com, mtklein@google.com, senorblanco@chromium.org
Author: sugoi@chromium.org
Review URL: https://codereview.chromium.org/37803002
git-svn-id: http://skia.googlecode.com/svn/trunk@12058 2bbb7eff-a529-9590-31e7-b0007b416f81
2013-10-31 18:37:50 +00:00
|
|
|
this->validate(sizeRecorded == sizeRead);
|
2013-10-23 17:06:21 +00:00
|
|
|
if (fError) {
|
|
|
|
// we could try to fix up the offset...
|
|
|
|
delete obj;
|
|
|
|
obj = NULL;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// we must skip the remaining data
|
|
|
|
this->skip(sizeRecorded);
|
|
|
|
SkASSERT(false);
|
|
|
|
}
|
|
|
|
return obj;
|
|
|
|
}
|