[skottie] Fix assert for missing layer type

When the layer type is missing, fType == -1 and we rely on unsigned (size_t) underflow + check against the known types array size to catch the condition. The problem is SkToSizeT() itself asserts the input is a valid size_t, and even if it didn't clusterfuzz would likely complain about underflowing. Refactor to check for negative values explicitly. Bug: b/200660146 Change-Id: Iae74dca14ac0202ffcdd4449f0d470063916eff5 Reviewed-on: https://skia-review.googlesource.com/c/skia/+/493116 Reviewed-by: Kevin Lubick <kjlubick@google.com> Commit-Queue: Florin Malita <fmalita@google.com>
2022-01-10 12:15:24 -05:00 · 2022-01-10 12:15:24 -05:00 · 3e1354a592
commit 3e1354a592
parent 2e6181cac4
2 changed files with 28 additions and 3 deletions
--- a/modules/skottie/src/Layer.cpp
+++ b/modules/skottie/src/Layer.cpp
@ -450,12 +450,11 @@ sk_sp<sksg::RenderNode> LayerBuilder::buildRenderTree(const AnimationBuilder& ab
        { nullptr                              ,                 0 },  // 'ty': 14 -> light
    };

-    const auto type = SkToSizeT(fType);
-    if (type >= SK_ARRAY_COUNT(gLayerBuildInfo)) {
+    if (fType < 0 || static_cast<size_t>(fType) >= SK_ARRAY_COUNT(gLayerBuildInfo)) {
        return nullptr;
    }

-    const auto& build_info = gLayerBuildInfo[type];
+    const auto& build_info = gLayerBuildInfo[fType];

    // Switch to the layer animator scope (which at this point holds transform-only animators).
    AnimationBuilder::AutoScope ascope(&abuilder, std::move(fLayerScope));
--- a/modules/skottie/src/SkottieTest.cpp
+++ b/modules/skottie/src/SkottieTest.cpp
@ -861,3 +861,29 @@ DEF_TEST(Skottie_Image_Loading, reporter) {
        REPORTER_ASSERT(reporter, SkScalarNearlyEqual(multi_asset->requestedFrames()[1], 2));
    }
 }
+
+DEF_TEST(Skottie_Layer_NoType, r) {
+    static constexpr char json[] =
+        R"({
+             "v": "5.2.1",
+             "w": 100,
+             "h": 100,
+             "fr": 10,
+             "ip": 0,
+             "op": 100,
+             "layers": [
+               {
+                 "ind": 0,
+                 "ip": 0,
+                 "op": 100,
+                 "ks": {}
+               }
+             ]
+           })";
+
+    SkMemoryStream stream(json, strlen(json));
+    auto anim = Animation::Make(&stream);
+
+    // passes if we don't crash
+    REPORTER_ASSERT(r, anim);
+}