AuroraMiddleware/skia2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Validate text blob runs after SkTextBlob construction.

Browse Source 
This avoids tripping CFI when casting uninitialized SkTextBlob ptrs.

BUG=chromium:538754
R=bungeman@google.com,reed@google.com,krasin@google.com

Review URL: https://codereview.chromium.org/1388543005
This commit is contained in:
fmalita 2015-10-05 11:09:57 -07:00 committed by Commit bot
parent 2f5bb3abfa
commit 92d976c3ad
1 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/core/SkTextBlob.cpp
View File

@ -157,7 +157,7 @@ public:
+ StorageSize(run->glyphCount(), run->positioning()));
}
void validate(uint8_t* storageTop) const {
void validate(const uint8_t* storageTop) const {
SkASSERT(kRunRecordMagic == fMagic);
SkASSERT((uint8_t*)Next(this) <= storageTop);
SkASSERT(glyphBuffer() + fCount <= (uint16_t*)posBuffer());
@ -583,21 +583,20 @@ const SkTextBlob* SkTextBlobBuilder::build() {
fStorage.realloc(fStorageUsed);
}
const SkTextBlob* blob = new (fStorage.detach()) SkTextBlob(fRunCount, fBounds);
SkDEBUGCODE(const_cast<SkTextBlob*>(blob)->fStorageSize = fStorageSize;)
SkDEBUGCODE(
size_t validateSize = sizeof(SkTextBlob);
const SkTextBlob::RunRecord* run =
SkTextBlob::RunRecord::First(reinterpret_cast<const SkTextBlob*>(fStorage.get()));
const SkTextBlob::RunRecord* run = SkTextBlob::RunRecord::First(blob);
for (int i = 0; i < fRunCount; ++i) {
validateSize += SkTextBlob::RunRecord::StorageSize(run->fCount, run->fPositioning);
run->validate(fStorage.get() + fStorageUsed);
run->validate(reinterpret_cast<const uint8_t*>(blob) + fStorageUsed);
run = SkTextBlob::RunRecord::Next(run);
}
SkASSERT(validateSize == fStorageUsed);
)
const SkTextBlob* blob = new (fStorage.detach()) SkTextBlob(fRunCount, fBounds);
SkDEBUGCODE(const_cast<SkTextBlob*>(blob)->fStorageSize = fStorageSize;)
fStorageUsed = 0;
fStorageSize = 0;
fRunCount = 0;