Handle bad ICO data better.

Interpret size and offset as size_t, as they should be. When read as int, they could be negative values. If they are negative (rather than positive and very large), they will not allow us to fail the length test, resulting in trying to read uninitialized memory. BUG=b/16010240 R=halcanary@google.com Author: scroggo@google.com Review URL: https://codereview.chromium.org/374413005
2014-07-09 15:04:20 -07:00 · 2014-07-09 15:04:20 -07:00 · 57ad493789
commit 57ad493789
parent 5fe23b357a
1 changed files with 4 additions and 3 deletions
--- a/src/images/SkImageDecoder_libico.cpp
+++ b/src/images/SkImageDecoder_libico.cpp
@ -152,10 +152,11 @@ bool SkICOImageDecoder::onDecode(SkStream* stream, SkBitmap* bm, Mode mode)
    //int reservedToo = readByte(buf, 9 + choice*16);   //0
    //int planes = read2Bytes(buf, 10 + choice*16);       //1 - but often 0
    //int fakeBitCount = read2Bytes(buf, 12 + choice*16); //should be real - usually 0
-    int size = read4Bytes(buf, 14 + choice*16);           //matters?
-    int offset = read4Bytes(buf, 18 + choice*16);
-    if ((size_t)(offset + size) > length)
+    const size_t size = read4Bytes(buf, 14 + choice*16);           //matters?
+    const size_t offset = read4Bytes(buf, 18 + choice*16);
+    if ((offset + size) > length) {
        return false;
+    }

    // Check to see if this is a PNG image inside the ICO
    {