From 9fba557ad559f337b4ba3dcf5ab117cb68a3887a Mon Sep 17 00:00:00 2001 From: Kevin Lubick Date: Wed, 16 May 2018 13:36:57 -0400 Subject: [PATCH] Remove problematic pre-allocations when deserializing The fuzzer would frequently OOM on these. Bug: skia:7937 Change-Id: I5e6a7dabeca327452f774100c9db05cd6be4cb06 Reviewed-on: https://skia-review.googlesource.com/128551 Reviewed-by: Florin Malita Reviewed-by: Mike Klein Commit-Queue: Mike Klein --- src/core/SkPictureData.cpp | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/core/SkPictureData.cpp b/src/core/SkPictureData.cpp index 6ce3b5c309..571c6d7b35 100644 --- a/src/core/SkPictureData.cpp +++ b/src/core/SkPictureData.cpp @@ -395,9 +395,9 @@ void SkPictureData::parseBufferTag(SkReadBuffer& buffer, uint32_t tag, uint32_t return; } const int count = SkToInt(size); - fPaints.reset(count); + for (int i = 0; i < count; ++i) { - if (!buffer.readPaint(&fPaints[i])) { + if (!buffer.readPaint(&fPaints.push_back())) { return; } } @@ -408,9 +408,11 @@ void SkPictureData::parseBufferTag(SkReadBuffer& buffer, uint32_t tag, uint32_t if (!buffer.validate(count >= 0)) { return; } - fPaths.reset(count); for (int i = 0; i < count; i++) { - buffer.readPath(&fPaths[i]); + buffer.readPath(&fPaths.push_back()); + if (!buffer.isValid()) { + return; + } } } break; case SK_PICT_TEXTBLOB_BUFFER_TAG: @@ -423,6 +425,11 @@ void SkPictureData::parseBufferTag(SkReadBuffer& buffer, uint32_t tag, uint32_t new_array_from_buffer(buffer, size, fImages, create_image_from_buffer); break; case SK_PICT_READER_TAG: { + // Preflight check that we can initialize all data from the buffer + // before allocating it. + if (!buffer.validate(size <= buffer.available())) { + return; + } auto data(SkData::MakeUninitialized(size)); if (!buffer.readByteArray(data->writable_data(), size) || !buffer.validate(nullptr == fOpData)) {