Bug: oss-fuzz:6274
Even if a frame does not have enough LZW blocks to decode all rows,
(which is unknown until we actually decode them), it is marked complete
once there are no more LZW blocks.
When decoding, even if we've decoded all LZW blocks, check fRowsDecoded
to determine whether we've actually all the rows. Report the number of
rows decoded so that SkCodec can fill in the remaining ones.
Change-Id: I1d6e0c29e3c37649725836cf24a4a239e3266b76
Reviewed-on: https://skia-review.googlesource.com/106964
Commit-Queue: Leon Scroggins <scroggo@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
Bug: os-fuzz:6288
Negating it is undefined, so don't try.
Change-Id: I055520b8036dd8b355e744114717e08d76206bc1
Reviewed-on: https://skia-review.googlesource.com/107062
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Leon Scroggins <scroggo@google.com>
Bug: os-fuzz:6295
Change-Id: I0ea9a3c54d61d41f21f2e9b945ab83fa2beb00d8
Reviewed-on: https://skia-review.googlesource.com/107025
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Leon Scroggins <scroggo@google.com>
Previously, if ReadHeader returned false, it deleted the input stream.
But there are a couple of cases where ReadHeader creates an SkCodec and
then returns false. The SkCodec deletes the stream, and then so does
NewFromStream.
Make sure that we do not double delete by only deleting if no SkCodec
was created.
Add a test, so such a double delete will be caught by the bots.
Bug: b/37623797
Change-Id: I787422c9af58f0b92ad9e9ef9ad87c54a12f5e31
Reviewed-on: https://skia-review.googlesource.com/23620
Reviewed-by: Derek Sollenberger <djsollen@google.com>
Commit-Queue: Leon Scroggins <scroggo@google.com>
If the ICO reports that it has a large BMP file embedded, do not
crash if we attempt to allocate too much memory.
Bug: b/38116746
Change-Id: I70eb66f5e4ffc15587007b398bbe843665eae500
Reviewed-on: https://skia-review.googlesource.com/18447
Reviewed-by: Matt Sarett <msarett@google.com>
Commit-Queue: Leon Scroggins <scroggo@google.com>
In this case, the fuzzer thinks there is a bug because we are
returning kInvalidConversion for a corrupt png file.
Bug: skia:6550
Change-Id: I33f588442f5eaa8a4d642e9328750779f9a9ef5d
Reviewed-on: https://skia-review.googlesource.com/14324
Commit-Queue: Matt Sarett <msarett@google.com>
Reviewed-by: Leon Scroggins <scroggo@google.com>
This limit matches the limit used by Chromium. I am not aware of any
real world BMPs that are larger than this (or even close to it), but
there are some invalid BMPs that are larger than this, leading to
crashes when we try to read a row.
BUG:34778578
BUG=skia:3617
Change-Id: I0f662e8d0d7bc0b084e86d0c9288b831e1b296d7
Reviewed-on: https://skia-review.googlesource.com/8966
Reviewed-by: Matt Sarett <msarett@google.com>
Commit-Queue: Leon Scroggins <scroggo@google.com>
An RLE bmp reports how many bytes it should contain. This number may be
incorrect, or it may be a very large number. Previously, we buffered
all bytes in a single allocation. Instead, use a fixed size buffer and
only read what fits into the buffer. We already have code to refill the
buffer if there is more data, so rely on that to keep reading.
Choose an arbitrary size for the buffer. It is larger than the maximum
possible number of bytes we need to read at once.
Add a test with a test image that reports a very large number for
the number of bytes it should contain. With the old method, we would
allocate 4 gigs of memory to decode this image, which is unnecessary
and may result in OOM.
BUG=b/33251605
Change-Id: I6d66eace626002725f62237617140cab99ce42f3
Reviewed-on: https://skia-review.googlesource.com/7028
Commit-Queue: Leon Scroggins <scroggo@google.com>
Reviewed-by: Matt Sarett <msarett@google.com>
In SkBmpCodec, if the header size does not match a known header,
stop trying to create an SkCodec. We do not know of any BMPs with
arbitrarily sized headers, so this should not cause any real
regressions.
In addition, this fixes a bug where we attempt to read too much data
from a file. Since we attempt to read the header size in one read,
and a size reported by the "BMP" may be larger than SSIZE_MAX, this
will crash when reading from a file.
Add a test.
BUG:b/33651913
Change-Id: I0f3292db3124dc5ac5cbdbc07196bda130a49ba7
Reviewed-on: https://skia-review.googlesource.com/6150
Commit-Queue: Leon Scroggins <scroggo@google.com>
Reviewed-by: Matt Sarett <msarett@google.com>
When clearing due to SkCodecAnimation::RestoreBGColor_DisposalMethod,
intersect the frameRect with the image size to prevent clearing outside
the bounds of the allocated memory.
Add a test image, created by the fuzzer.
BUG=skia:6046
Change-Id: I43676d28f82abf093ef801752f3a9e881580924c
Reviewed-on: https://skia-review.googlesource.com/5860
Commit-Queue: Leon Scroggins <scroggo@google.com>
Reviewed-by: Matt Sarett <msarett@google.com>
Original Commit Message:
"""
Avoid integer overflow in SkIcoCodec
Definitely good to avoid overflow here.
FWIW, this looks to be harmless for Android's current use.
They will just fail later on when trying to allocate the
bitmap.
BUG=skia:5857
"""
With the new test, ASAN also caught an integer overflow
bug in SkImageInfo. Fix this as well.
CQ_INCLUDE_TRYBOTS=master.client.skia:Test-Ubuntu-Clang-GCE-CPU-AVX2-x86_64-Debug-ASAN;master.client.skia.android:Test-Android-Clang-AndroidOne-CPU-MT6582-arm-Debug-GN_Android
BUG=skia:5857
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=3568
Change-Id: I0d777a547850474ea6cea87e36efa05434e33635
Reviewed-on: https://skia-review.googlesource.com/3568
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Definitely good to avoid overflow here.
FWIW, this looks to be harmless for Android's current use.
They will just fail later on when trying to allocate the
bitmap.
BUG=skia:5857
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=3527
Change-Id: Ia1fb7d864d21ecdb127a1dd1a72cab8375cb43fb
Reviewed-on: https://skia-review.googlesource.com/3527
Commit-Queue: Matt Sarett <msarett@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Leon Scroggins <scroggo@google.com>
Chromium's test suite contains an RLE image that reports a certain
file size in the header, but then contains additional encoded data.
Our bmp decoder would only decode half of the image, before stopping.
With this fix, we check for additional data before returning
kIncompleteInput.
If this lands, I will upload the test image to the bots.
Also adding an invalid image test to CodexTest.
BUG=skia:
Review URL: https://codereview.chromium.org/1273853004
DEPS:
Update to pull v0.4.3 of libwebp from upstream
gyp/libwebp.gyp:
Add new files, as referenced by the gyp file used by Chromium.
resource/tests:
Add regression tests for particular images.
BUG=skia:3442
BUG=skia:3315
BUG=skia:3429
Review URL: https://codereview.chromium.org/1178013008
We previously saw crashes decoding bad ICO files. Add tests for
known bad files.
While testing, I learned that one of them still crashes. Check for
large offset and size separately to fix the crash.
BUG=skia:2878
Review URL: https://codereview.chromium.org/712123002
