Prevent SkMatrixConvolutionImageFilter from allocating large buffers it can't fill

Bug: skia:7937 Change-Id: I71a5673939b3d91864a4b788e1e3a520b0ee04dd Reviewed-on: https://skia-review.googlesource.com/129179 Reviewed-by: Mike Klein <mtklein@google.com> Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-05-18 11:32:33 -04:00 · 2018-05-18 11:32:33 -04:00 · 160e93dc19
commit 160e93dc19
parent 832aa11e90
1 changed files with 6 additions and 0 deletions
--- a/src/effects/SkMatrixConvolutionImageFilter.cpp
+++ b/src/effects/SkMatrixConvolutionImageFilter.cpp
@ -90,6 +90,9 @@ sk_sp<SkFlattenable> SkMatrixConvolutionImageFilter::CreateProc(SkReadBuffer& bu
    if (!buffer.validate(kernelArea == count)) {
        return nullptr;
    }
+    if (!buffer.validateCanReadN<SkScalar>(count)) {
+        return nullptr;
+    }
    SkAutoSTArray<16, SkScalar> kernel(count);
    if (!buffer.readScalarArray(kernel.get(), count)) {
        return nullptr;
@ -103,6 +106,9 @@ sk_sp<SkFlattenable> SkMatrixConvolutionImageFilter::CreateProc(SkReadBuffer& bu
    TileMode tileMode = buffer.read32LE(kLast_TileMode);
    bool convolveAlpha = buffer.readBool();

+    if (!buffer.isValid()) {
+        return nullptr;
+    }
    return Make(kernelSize, kernel.get(), gain, bias, kernelOffset, tileMode,
                convolveAlpha, common.getInput(0), &common.cropRect());
 }