Commit Graph

28 Commits

Author SHA1 Message Date
Leon Scroggins III
cbf66a2213 Ensure all rows of a gif are initialized
Bug: oss-fuzz:6274

Even if a frame does not have enough LZW blocks to decode all rows,
(which is unknown until we actually decode them), it is marked complete
once there are no more LZW blocks.

When decoding, even if we've decoded all LZW blocks, check fRowsDecoded
to determine whether we've actually all the rows. Report the number of
rows decoded so that SkCodec can fill in the remaining ones.

Change-Id: I1d6e0c29e3c37649725836cf24a4a239e3266b76
Reviewed-on: https://skia-review.googlesource.com/106964
Commit-Queue: Leon Scroggins <scroggo@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
2018-02-16 17:26:56 +00:00
Leon Scroggins III
ce6d93a815 Check for min int in BMP header
Bug: os-fuzz:6288

Negating it is undefined, so don't try.

Change-Id: I055520b8036dd8b355e744114717e08d76206bc1
Reviewed-on: https://skia-review.googlesource.com/107062
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Leon Scroggins <scroggo@google.com>
2018-02-15 15:36:19 +00:00
Leon Scroggins III
fee7cbaf44 Check the length of marker before reading it
Bug: os-fuzz:6295
Change-Id: I0ea9a3c54d61d41f21f2e9b945ab83fa2beb00d8
Reviewed-on: https://skia-review.googlesource.com/107025
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Leon Scroggins <scroggo@google.com>
2018-02-13 22:05:53 +00:00
Leon Scroggins III
fc4ee229a6 Fix double delete in SkBmpCodec
Previously, if ReadHeader returned false, it deleted the input stream.
But there are a couple of cases where ReadHeader creates an SkCodec and
then returns false. The SkCodec deletes the stream, and then so does
NewFromStream.

Make sure that we do not double delete by only deleting if no SkCodec
was created.

Add a test, so such a double delete will be caught by the bots.

Bug: b/37623797
Change-Id: I787422c9af58f0b92ad9e9ef9ad87c54a12f5e31
Reviewed-on: https://skia-review.googlesource.com/23620
Reviewed-by: Derek Sollenberger <djsollen@google.com>
Commit-Queue: Leon Scroggins <scroggo@google.com>
2017-07-14 16:25:54 +00:00
Leon Scroggins III
12a4dc985b Defend against ICOs with large BMPs embedded
If the ICO reports that it has a large BMP file embedded, do not
crash if we attempt to allocate too much memory.

Bug: b/38116746
Change-Id: I70eb66f5e4ffc15587007b398bbe843665eae500
Reviewed-on: https://skia-review.googlesource.com/18447
Reviewed-by: Matt Sarett <msarett@google.com>
Commit-Queue: Leon Scroggins <scroggo@google.com>
2017-06-05 18:28:19 +00:00
Matt Sarett
d59948a171 SkPngCodec: Do not return kInvalidConversion on corrupt png
In this case, the fuzzer thinks there is a bug because we are
returning kInvalidConversion for a corrupt png file.

Bug: skia:6550
Change-Id: I33f588442f5eaa8a4d642e9328750779f9a9ef5d
Reviewed-on: https://skia-review.googlesource.com/14324
Commit-Queue: Matt Sarett <msarett@google.com>
Reviewed-by: Leon Scroggins <scroggo@google.com>
2017-04-26 17:43:38 +00:00
Leon Scroggins III
0354c62e0b Set a limit on the size for BMP images
This limit matches the limit used by Chromium. I am not aware of any
real world BMPs that are larger than this (or even close to it), but
there are some invalid BMPs that are larger than this, leading to
crashes when we try to read a row.

BUG:34778578
BUG=skia:3617

Change-Id: I0f662e8d0d7bc0b084e86d0c9288b831e1b296d7
Reviewed-on: https://skia-review.googlesource.com/8966
Reviewed-by: Matt Sarett <msarett@google.com>
Commit-Queue: Leon Scroggins <scroggo@google.com>
2017-02-24 21:25:44 +00:00
Matt Sarett
5c49617f3d Reland "Respect canvas size and frame offset in webp decoder"
Original Change Reviewed At:
https://skia-review.googlesource.com/c/7800

CQ_INCLUDE_TRYBOTS=skia.primary:Test-Ubuntu-Clang-GCE-CPU-AVX2-x86_64-Debug-MSAN

BUG=skia:6185

Change-Id: I1a7732832d37920545c1775d7c7c65b43ed810f9
Reviewed-on: https://skia-review.googlesource.com/8157
Reviewed-by: Matt Sarett <msarett@google.com>
Commit-Queue: Matt Sarett <msarett@google.com>
2017-02-07 22:40:13 +00:00
Matt Sarett
2bb94e8147 Revert "Reland "Respect canvas size and frame offset in webp decoder""
This reverts commit 604971e39a.

Reason for revert: Strange vk failures

Original change's description:
> Reland "Respect canvas size and frame offset in webp decoder"
> 
> Original Change Reviewed At:
> https://skia-review.googlesource.com/c/7800
> 
> CQ_INCLUDE_TRYBOTS=skia.primary:Test-Ubuntu-Clang-GCE-CPU-AVX2-x86_64-Debug-MSAN
> 
> BUG=skia:6185
> 
> Change-Id: I92baa9070e15ef3c62dd347c08c906c2715dda10
> Reviewed-on: https://skia-review.googlesource.com/8050
> Reviewed-by: Matt Sarett <msarett@google.com>
> Commit-Queue: Matt Sarett <msarett@google.com>
> 

TBR=msarett@google.com,reviews@skia.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=skia:6185
CQ_INCLUDE_TRYBOTS=skia.primary:Test-Ubuntu-Clang-GCE-CPU-AVX2-x86_64-Debug-MSAN

Change-Id: Ice93b62c55ea13fce83140567be16225ff0e2fdb
Reviewed-on: https://skia-review.googlesource.com/8123
Commit-Queue: Matt Sarett <msarett@google.com>
Reviewed-by: Matt Sarett <msarett@google.com>
2017-02-07 16:39:39 +00:00
Matt Sarett
604971e39a Reland "Respect canvas size and frame offset in webp decoder"
Original Change Reviewed At:
https://skia-review.googlesource.com/c/7800

CQ_INCLUDE_TRYBOTS=skia.primary:Test-Ubuntu-Clang-GCE-CPU-AVX2-x86_64-Debug-MSAN

BUG=skia:6185

Change-Id: I92baa9070e15ef3c62dd347c08c906c2715dda10
Reviewed-on: https://skia-review.googlesource.com/8050
Reviewed-by: Matt Sarett <msarett@google.com>
Commit-Queue: Matt Sarett <msarett@google.com>
2017-02-06 18:55:41 +00:00
Robert Phillips
b3050b91f0 Revert "Respect canvas size and frame offset in webp decoder"
This reverts commit 0f33970c8d.

Reason for revert: msan complaint

Original change's description:
> Respect canvas size and frame offset in webp decoder
> 
> BUG=skia:6185
> 
> Change-Id: Id543cb689a5e33b800ebbc18f4a234e78a4c4298
> Reviewed-on: https://skia-review.googlesource.com/7800
> Commit-Queue: Matt Sarett <msarett@google.com>
> Reviewed-by: Leon Scroggins <scroggo@google.com>
> 

TBR=borenet@google.com,msarett@google.com,scroggo@google.com,reviews@skia.org
# Not skipping CQ checks because original CL landed > 1 day ago.
BUG=skia:6185

Change-Id: Ie01dc7d7ebfebe36a235335d0d8cb28bccb2ecff
Reviewed-on: https://skia-review.googlesource.com/8046
Commit-Queue: Robert Phillips <robertphillips@google.com>
Reviewed-by: Robert Phillips <robertphillips@google.com>
2017-02-06 13:43:16 +00:00
Matt Sarett
0f33970c8d Respect canvas size and frame offset in webp decoder
BUG=skia:6185

Change-Id: Id543cb689a5e33b800ebbc18f4a234e78a4c4298
Reviewed-on: https://skia-review.googlesource.com/7800
Commit-Queue: Matt Sarett <msarett@google.com>
Reviewed-by: Leon Scroggins <scroggo@google.com>
2017-02-03 21:45:30 +00:00
Leon Scroggins III
b3b24538e0 Use fixed size buffer for RLE bmps
An RLE bmp reports how many bytes it should contain. This number may be
incorrect, or it may be a very large number. Previously, we buffered
all bytes in a single allocation. Instead, use a fixed size buffer and
only read what fits into the buffer. We already have code to refill the
buffer if there is more data, so rely on that to keep reading.

Choose an arbitrary size for the buffer. It is larger than the maximum
possible number of bytes we need to read at once.

Add a test with a test image that reports a very large number for
the number of bytes it should contain. With the old method, we would
allocate 4 gigs of memory to decode this image, which is unnecessary
and may result in OOM.

BUG=b/33251605

Change-Id: I6d66eace626002725f62237617140cab99ce42f3
Reviewed-on: https://skia-review.googlesource.com/7028
Commit-Queue: Leon Scroggins <scroggo@google.com>
Reviewed-by: Matt Sarett <msarett@google.com>
2017-01-19 14:21:02 +00:00
Leon Scroggins III
0b24cbd9db Stop supporting kUnknown_BmpHeaderType
In SkBmpCodec, if the header size does not match a known header,
stop trying to create an SkCodec. We do not know of any BMPs with
arbitrarily sized headers, so this should not cause any real
regressions.

In addition, this fixes a bug where we attempt to read too much data
from a file. Since we attempt to read the header size in one read,
and a size reported by the "BMP" may be larger than SSIZE_MAX, this
will crash when reading from a file.

Add a test.

BUG:b/33651913

Change-Id: I0f3292db3124dc5ac5cbdbc07196bda130a49ba7
Reviewed-on: https://skia-review.googlesource.com/6150
Commit-Queue: Leon Scroggins <scroggo@google.com>
Reviewed-by: Matt Sarett <msarett@google.com>
2016-12-15 21:48:03 +00:00
Leon Scroggins III
56e3209c70 SkGifCodec: intersect frameRect with image size
When clearing due to SkCodecAnimation::RestoreBGColor_DisposalMethod,
intersect the frameRect with the image size to prevent clearing outside
the bounds of the allocated memory.

Add a test image, created by the fuzzer.

BUG=skia:6046

Change-Id: I43676d28f82abf093ef801752f3a9e881580924c
Reviewed-on: https://skia-review.googlesource.com/5860
Commit-Queue: Leon Scroggins <scroggo@google.com>
Reviewed-by: Matt Sarett <msarett@google.com>
2016-12-13 14:00:17 +00:00
Matt Sarett
dbdf6d210b Fail jpeg decodes on too many progressive scans
BUG:642462

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=4560

Change-Id: I22891ce1e0b3a1bedefc34dadd5cf34dfc301b79
Reviewed-on: https://skia-review.googlesource.com/4560
Reviewed-by: Leon Scroggins <scroggo@google.com>
Commit-Queue: Matt Sarett <msarett@google.com>
2016-11-08 21:39:15 +00:00
Matt Sarett
8a4e9c51f4 SkGifCodec: do not write off the end of memory when repeatCount > 1
BUG=skia:5887

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=3940

Change-Id: I9e3ed6153a73277896ac067ef73918a41a0546b8
Reviewed-on: https://skia-review.googlesource.com/3940
Reviewed-by: Leon Scroggins <scroggo@google.com>
Commit-Queue: Matt Sarett <msarett@google.com>
2016-10-26 00:43:27 +00:00
Matt Sarett
29121ebd9e Avoid integer overflow in SkIcoCodec and SkImageInfo
Original Commit Message:
"""
Avoid integer overflow in SkIcoCodec

Definitely good to avoid overflow here.

FWIW, this looks to be harmless for Android's current use.
They will just fail later on when trying to allocate the
bitmap.

BUG=skia:5857
"""

With the new test, ASAN also caught an integer overflow
bug in SkImageInfo.  Fix this as well.

CQ_INCLUDE_TRYBOTS=master.client.skia:Test-Ubuntu-Clang-GCE-CPU-AVX2-x86_64-Debug-ASAN;master.client.skia.android:Test-Android-Clang-AndroidOne-CPU-MT6582-arm-Debug-GN_Android

BUG=skia:5857

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=3568

Change-Id: I0d777a547850474ea6cea87e36efa05434e33635
Reviewed-on: https://skia-review.googlesource.com/3568
Reviewed-by: Kevin Lubick <kjlubick@google.com>
2016-10-17 21:19:54 +00:00
Matt Sarett
af017418b3 Revert "Avoid integer overflow in SkIcoCodec"
This reverts commit 20cba06a4b.

Reason for revert: <INSERT REASONING HERE>


TBR=msarett@google.com,scroggo@google.com,kjlubick@google.com,reviews@skia.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Change-Id: Id8f48a90a7dc620f9c0ee2f419d14bae2b0c1e7e
Reviewed-on: https://skia-review.googlesource.com/3564
Commit-Queue: Matt Sarett <msarett@google.com>
Reviewed-by: Matt Sarett <msarett@google.com>
2016-10-17 17:43:32 +00:00
Matt Sarett
20cba06a4b Avoid integer overflow in SkIcoCodec
Definitely good to avoid overflow here.

FWIW, this looks to be harmless for Android's current use.
They will just fail later on when trying to allocate the
bitmap.

BUG=skia:5857

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=3527

Change-Id: Ia1fb7d864d21ecdb127a1dd1a72cab8375cb43fb
Reviewed-on: https://skia-review.googlesource.com/3527
Commit-Queue: Matt Sarett <msarett@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Leon Scroggins <scroggo@google.com>
2016-10-17 17:10:40 +00:00
msarett
c5064d9c3d Revert of Add regression test (patchset #2 id:20001 of https://codereview.chromium.org/2243143002/ )
Reason for revert:
Nexus 9 and Nexus Player failures.

Original issue's description:
> Add regression test
>
> Original bug fix was in:
> https://codereview.chromium.org/2230163002
>
> BUG:636268
> GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2243143002
>
> Committed: https://skia.googlesource.com/skia/+/bcae9d3d15d34a59d279c34e187e6101975500c0

TBR=reed@google.com,gogil@stealien.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2243403003
2016-08-16 04:54:19 -07:00
msarett
bcae9d3d15 Add regression test
Original bug fix was in:
https://codereview.chromium.org/2230163002

BUG:636268
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2243143002

Review-Url: https://codereview.chromium.org/2243143002
2016-08-15 09:42:00 -07:00
msarett
d0375bc460 Fix bmp RLE "bug"
Chromium's test suite contains an RLE image that reports a certain
file size in the header, but then contains additional encoded data.
Our bmp decoder would only decode half of the image, before stopping.

With this fix, we check for additional data before returning
kIncompleteInput.

If this lands, I will upload the test image to the bots.

Also adding an invalid image test to CodexTest.

BUG=skia:

Review URL: https://codereview.chromium.org/1273853004
2015-08-12 08:08:56 -07:00
scroggo
139491fbaa Use the upstream version of libwebp, v0.4.3.
DEPS:
Update to pull v0.4.3 of libwebp from upstream

gyp/libwebp.gyp:
Add new files, as referenced by the gyp file used by Chromium.

resource/tests:
Add regression tests for particular images.

BUG=skia:3442
BUG=skia:3315
BUG=skia:3429

Committed: https://skia.googlesource.com/skia/+/3aa0fb4d80c76b559ff4b82d5e569993aea06da1

Review URL: https://codereview.chromium.org/1178013008
2015-07-10 09:32:09 -07:00
scroggo
c1d1dd738e Revert of Use the upstream version of libwebp, v0.4.3. (patchset #6 id:70001 of https://codereview.chromium.org/1178013008/)
Reason for revert:
Breaking the build e.g. http://build.chromium.org/p/client.skia/builders/Perf-Mac10.8-Clang-MacMini4.1-GPU-GeForce320M-x86_64-Release/builds/1082/steps/build%20nanobench/logs/stdio

../../../third_party/externals/libwebp/src/utils/./endian_inl.h:51:10: error: use of unknown builtin '__builtin_bswap16' [-Wimplicit-function-declaration]
  return __builtin_bswap16(x);
         ^
1 error generated.

Original issue's description:
> Use the upstream version of libwebp, v0.4.3.
>
> DEPS:
> Update to pull v0.4.3 of libwebp from upstream
>
> gyp/libwebp.gyp:
> Add new files, as referenced by the gyp file used by Chromium.
>
> resource/tests:
> Add regression tests for particular images.
>
> BUG=skia:3442
> BUG=skia:3315
> BUG=skia:3429
>
> Committed: https://skia.googlesource.com/skia/+/3aa0fb4d80c76b559ff4b82d5e569993aea06da1

TBR=djsollen@google.com,jzern@chromium.org,msarett@google.com,emmaleer@google.com,scroggo@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=skia:3442

Review URL: https://codereview.chromium.org/1223583004
2015-07-08 10:57:22 -07:00
scroggo
3aa0fb4d80 Use the upstream version of libwebp, v0.4.3.
DEPS:
Update to pull v0.4.3 of libwebp from upstream

gyp/libwebp.gyp:
Add new files, as referenced by the gyp file used by Chromium.

resource/tests:
Add regression tests for particular images.

BUG=skia:3442
BUG=skia:3315
BUG=skia:3429

Review URL: https://codereview.chromium.org/1178013008
2015-07-08 10:48:40 -07:00
msarett
6e8f9033bb Ico security issues fix
BUG=skia:3401
BUG=skia:3426
BUG=skia:3441

Review URL: https://codereview.chromium.org/996173005
2015-03-13 08:07:01 -07:00
scroggo
b61e206138 Add tests (and fix!) for known bad ICO files.
We previously saw crashes decoding bad ICO files. Add tests for
known bad files.

While testing, I learned that one of them still crashes. Check for
large offset and size separately to fix the crash.

BUG=skia:2878

Review URL: https://codereview.chromium.org/712123002
2014-11-10 13:12:25 -08:00