Fix SkTextblob deserialization fuzzer issues

1) ../../src/core/SkTextBlob.cpp:778:27: runtime error: load of value 143, which is not a valid value for type 'bool' 2) ../../src/core/SkValidatingReadBuffer.cpp:208:16: runtime error: null pointer passed as argument 1, which is declared to never be null BUG=skia:7337 Change-Id: I1df163ad378fdd2f3e4d918eb511d9f32ff41d25 Reviewed-on: https://skia-review.googlesource.com/75380 Reviewed-by: Kevin Lubick <kjlubick@google.com> Commit-Queue: Florin Malita <fmalita@chromium.org>
2017-11-22 10:53:33 -05:00 · 2017-11-22 10:53:33 -05:00 · 90dcafcc93
commit 90dcafcc93
parent 2bd856ded9
1 changed files with 11 additions and 1 deletions
--- a/src/core/SkTextBlob.cpp
+++ b/src/core/SkTextBlob.cpp
@ -310,14 +310,18 @@ SkTextBlob::~SkTextBlob() {
 }

 namespace {
+
 union PositioningAndExtended {
    int32_t intValue;
    struct {
        SkTextBlob::GlyphPositioning positioning;
-        bool extended;
+        uint8_t  extended;
        uint16_t padding;
    };
 };
+
+static_assert(sizeof(PositioningAndExtended) == sizeof(int32_t), "");
+
 } // namespace

 unsigned SkTextBlob::ScalarsPerGlyph(GlyphPositioning pos) {
@ -806,6 +810,12 @@ sk_sp<SkTextBlob> SkTextBlob::MakeFromBuffer(SkReadBuffer& reader) {
                return nullptr;
        }

+        if (!buf->glyphs ||
+            !buf->pos ||
+            (pe.extended && (!buf->clusters || !buf->utf8text))) {
+            return nullptr;
+        }
+
        if (!reader.readByteArray(buf->glyphs, glyphCount * sizeof(uint16_t)) ||
            !reader.readByteArray(buf->pos,
                                  glyphCount * sizeof(SkScalar) * ScalarsPerGlyph(pos))) {