From 0951fe12984944406e0f1bb105b9fa4c54fcdcdd Mon Sep 17 00:00:00 2001 From: sugoi Date: Fri, 6 Jun 2014 06:44:16 -0700 Subject: [PATCH] Fixing another clusterfuzz issue This was introduced by removing SkValidatingReadBuffer::readBitmap in https://codereview.chromium.org/295793002/ Since SkReadBuffer::skip wasn't virtual, it was using the unsafe SkReadBuffer::skip within SkReadBuffer::readBitmap rather than using SkValidatingReadBuffer::skip. I also removed direct uses of fReader within SkReadBuffer::readBitmap so that it can use the virtual readInt / readFixed functions that have a version in SkValidatingReadBuffer. Also, I changed SkReadBuffer::readPoint so that it uses the virtual readScalar, that way, it becomes redundant with SkValidatingReadBuffer::readPoint, which can then be removed. BUG=380723 R=reed@google.com, mtklein@google.com, sugoi@google.com Author: sugoi@chromium.org Review URL: https://codereview.chromium.org/317003003 --- include/core/SkReadBuffer.h | 2 +- src/core/SkReadBuffer.cpp | 8 ++++---- src/core/SkValidatingReadBuffer.h | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/include/core/SkReadBuffer.h b/include/core/SkReadBuffer.h index 5364bee285..b792be36e0 100644 --- a/include/core/SkReadBuffer.h +++ b/include/core/SkReadBuffer.h @@ -84,7 +84,7 @@ public: size_t size() { return fReader.size(); } size_t offset() { return fReader.offset(); } bool eof() { return fReader.eof(); } - const void* skip(size_t size) { return fReader.skip(size); } + virtual const void* skip(size_t size) { return fReader.skip(size); } void* readFunctionPtr() { return fReader.readPtr(); } // primitives diff --git a/src/core/SkReadBuffer.cpp b/src/core/SkReadBuffer.cpp index a3ae8ae9b9..cacf989e20 100644 --- a/src/core/SkReadBuffer.cpp +++ b/src/core/SkReadBuffer.cpp @@ -199,8 +199,8 @@ bool SkReadBuffer::readBitmap(SkBitmap* bitmap) { if (this->readBool()) { // An SkBitmapHeap was used for writing. Read the index from the stream and find the // corresponding SkBitmap in fBitmapStorage. - const uint32_t index = fReader.readU32(); - fReader.readU32(); // bitmap generation ID (see SkWriteBuffer::writeBitmap) + const uint32_t index = this->readUInt(); + this->readUInt(); // bitmap generation ID (see SkWriteBuffer::writeBitmap) if (fBitmapStorage) { *bitmap = *fBitmapStorage->getBitmap(index); fBitmapStorage->releaseRef(index); @@ -223,8 +223,8 @@ bool SkReadBuffer::readBitmap(SkBitmap* bitmap) { // A non-zero size means the SkBitmap was encoded. Read the data and pixel // offset. const void* data = this->skip(length); - const int32_t xOffset = fReader.readS32(); - const int32_t yOffset = fReader.readS32(); + const int32_t xOffset = this->readInt(); + const int32_t yOffset = this->readInt(); if (fBitmapDecoder != NULL && fBitmapDecoder(data, length, bitmap)) { if (bitmap->width() == width && bitmap->height() == height) { #ifdef DEBUG_NON_DETERMINISTIC_ASSERT diff --git a/src/core/SkValidatingReadBuffer.h b/src/core/SkValidatingReadBuffer.h index 0a9e2536d4..5cf3abed68 100644 --- a/src/core/SkValidatingReadBuffer.h +++ b/src/core/SkValidatingReadBuffer.h @@ -23,7 +23,7 @@ public: SkValidatingReadBuffer(const void* data, size_t size); virtual ~SkValidatingReadBuffer(); - const void* skip(size_t size); + virtual const void* skip(size_t size) SK_OVERRIDE; // primitives virtual bool readBool() SK_OVERRIDE;