AuroraMiddleware/skia2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixing crash found by fuzzer

Browse Source 
A previous fix only partially fixed this issue by adding validation on some inputs of SkImageInfo. If anything invalid is detected in SkImageInfo, unfortunately, this can cause getSafeSize() to do an illegal memory access while calling bytesPerPixel(), which could have a bad color type at this point.

A possible fix is to simply make sure we are in a valid state before calling getSafeSize().

BUG=329254
R=reed@google.com, mtklein@google.com, bsalomon@google.com, sugoi@google.com

Author: sugoi@chromium.org

Review URL: https://codereview.chromium.org/107003006

git-svn-id: http://skia.googlecode.com/svn/trunk@12844 2bbb7eff-a529-9590-31e7-b0007b416f81
This commit is contained in:
commit-bot@chromium.org 2013-12-30 15:48:10 +00:00
parent 57212f9469
commit fbd9b17711
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/core/SkMallocPixelRef.cpp
View File

@ -141,7 +141,7 @@ SkMallocPixelRef::SkMallocPixelRef(SkFlattenableReadBuffer& buffer)
, fOwnPixels(true) , fOwnPixels(true)
{ {
fRB = buffer.read32(); fRB = buffer.read32();
size_t size = this->info().getSafeSize(fRB); size_t size = buffer.isValid() ? this->info().getSafeSize(fRB) : 0;
if (buffer.validateAvailable(size)) { if (buffer.validateAvailable(size)) {
fStorage = sk_malloc_throw(size); fStorage = sk_malloc_throw(size);
buffer.readByteArray(fStorage, size); buffer.readByteArray(fStorage, size);