diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2017-07-11 22:40:15 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-07-11 22:40:15 +0000 |
commit | 95a8ed1b1d3f1b0ca04ec89d55139c3a1801d3f0 (patch) | |
tree | 3b2aeb489a89efdf9800f46caffa112e14da7d34 | |
parent | c7345dbf1329e992872e1d3ba4042ef5defcb8ce (diff) | |
parent | a3ff11caa4d2d7837dcd180caab6b024098ef3f2 (diff) | |
download | libgdx-nougat-mr1.6-release.tar.gz |
release-request-556939d2-cc5e-453a-b797-8a7cb6dacac2-for-git_nyc-mr1-security-f-release-4118426 snap-temp-L72200000081371809android-7.1.1_r50nougat-mr1.6-release
Change-Id: Iefac5556fe41d42caa09a331e45e63e6cf2a5f3c
-rw-r--r-- | gdx/jni/com.badlogic.gdx.graphics.glutils.ETC1.cpp | 29 | ||||
-rw-r--r-- | gdx/jni/gdx2d/gdx2d.c | 21 | ||||
-rw-r--r-- | gdx/jni/gdx2d/jpgd.cpp | 51 | ||||
-rw-r--r-- | gdx/jni/gdx2d/stb_image.h | 19 |
4 files changed, 104 insertions, 16 deletions
diff --git a/gdx/jni/com.badlogic.gdx.graphics.glutils.ETC1.cpp b/gdx/jni/com.badlogic.gdx.graphics.glutils.ETC1.cpp index 94dc321f9..0c6eabdca 100644 --- a/gdx/jni/com.badlogic.gdx.graphics.glutils.ETC1.cpp +++ b/gdx/jni/com.badlogic.gdx.graphics.glutils.ETC1.cpp @@ -1,4 +1,7 @@ #include <com.badlogic.gdx.graphics.glutils.ETC1.h> +#include <android/log.h> + +#define APP_LOG "GDX" //@line:196 @@ -86,9 +89,29 @@ JNIEXPORT void JNICALL Java_com_badlogic_gdx_graphics_glutils_ETC1_decodeImage(J //@line:249 - etc1_decode_image((etc1_byte*)compressedData + offset, (etc1_byte*)decodedData + offsetDec, width, height, pixelSize, width * pixelSize);
- - + // Nothing to decode, or no target + if (compressedData == 0 || decodedData == 0) { + __android_log_print(ANDROID_LOG_VERBOSE, APP_LOG, "Invalid buffers, null pointer."); + return; + } + + /// Verify if requested bounds are valid + jlong compressedLength = env->GetDirectBufferCapacity(obj_compressedData); + jlong decodedLength = env->GetDirectBufferCapacity(obj_decodedData); + if (offset < 0 || compressedLength - offset > decodedLength - offsetDec) { + __android_log_print(ANDROID_LOG_VERBOSE, + APP_LOG, "Invalid buffers, would cause heap overflow. %lu > %lu", + compressedLength - offset, + decodedLength - offsetDec); + return; + } + + etc1_decode_image((etc1_byte*)compressedData + offset, + (etc1_byte*)decodedData + offsetDec, + width, + height, + pixelSize, + width * pixelSize); } static inline jobject wrapped_Java_com_badlogic_gdx_graphics_glutils_ETC1_encodeImage diff --git a/gdx/jni/gdx2d/gdx2d.c b/gdx/jni/gdx2d/gdx2d.c index 13ceba23b..70cfc7d98 100644 --- a/gdx/jni/gdx2d/gdx2d.c +++ b/gdx/jni/gdx2d/gdx2d.c @@ -17,6 +17,9 @@ #include "stb_image.h"
#include "jpgd_c.h"
+#include <android/log.h>
+#define APP_LOG "GDX"
+
static uint32_t gdx2d_blend = GDX2D_BLEND_NONE;
static uint32_t gdx2d_scale = GDX2D_SCALE_NEAREST;
@@ -358,9 +361,25 @@ static inline void clear_RGBA4444(const gdx2d_pixmap* pixmap, uint32_t col) { }
}
-void gdx2d_clear(const gdx2d_pixmap* pixmap, uint32_t col) {
+void gdx2d_clear(const gdx2d_pixmap* pixmap, uint32_t col) {
+ if (pixmap == 0)
+ return;
+
col = to_format(pixmap->format, col);
+ // Check for malformed Pixmap
+ size_t requestedSize = pixmap->width * pixmap->height * sizeof(col);
+ size_t pixelsSize = sizeof(pixmap->pixels);
+ if (requestedSize > pixelsSize) {
+ __android_log_print(ANDROID_LOG_VERBOSE,
+ APP_LOG, "Invalid pixmap. %ix%i - Size should be %u but found %u",
+ pixmap->width,
+ pixmap->height,
+ requestedSize,
+ pixelsSize);
+ return;
+ }
+
switch(pixmap->format) {
case GDX2D_FORMAT_ALPHA:
clear_alpha(pixmap, col);
diff --git a/gdx/jni/gdx2d/jpgd.cpp b/gdx/jni/gdx2d/jpgd.cpp index 4c84a3321..d76e930ea 100644 --- a/gdx/jni/gdx2d/jpgd.cpp +++ b/gdx/jni/gdx2d/jpgd.cpp @@ -29,6 +29,10 @@ #define JPGD_MAX(a,b) (((a)>(b)) ? (a) : (b)) #define JPGD_MIN(a,b) (((a)<(b)) ? (a) : (b)) +// TODO: Move to header and use these constants when declaring the arrays. +#define JPGD_HUFF_TREE_MAX_LENGTH 512 +#define JPGD_HUFF_CODE_SIZE_MAX_LENGTH 256 + namespace jpgd { static inline void *jpgd_malloc(size_t nSize) { return malloc(nSize); } @@ -493,8 +497,9 @@ inline uint jpeg_decoder::get_bits_no_markers(int num_bits) // Decodes a Huffman encoded symbol. inline int jpeg_decoder::huff_decode(huff_tables *pH) { - int symbol; + JPGD_ASSERT(pH); + int symbol; // Check first 8-bits: do we have a complete symbol? if ((symbol = pH->look_up[m_bit_buf >> 24]) < 0) { @@ -502,14 +507,19 @@ inline int jpeg_decoder::huff_decode(huff_tables *pH) int ofs = 23; do { - symbol = pH->tree[-(int)(symbol + ((m_bit_buf >> ofs) & 1))]; + unsigned int idx = -(int)(symbol + ((m_bit_buf >> ofs) & 1)); + JPGD_ASSERT(idx < JPGD_HUFF_TREE_MAX_LENGTH); + symbol = pH->tree[idx]; ofs--; } while (symbol < 0); get_bits_no_markers(8 + (23 - ofs)); } else + { + JPGD_ASSERT(symbol < JPGD_HUFF_CODE_SIZE_MAX_LENGTH); get_bits_no_markers(pH->code_size[symbol]); + } return symbol; } @@ -519,6 +529,8 @@ inline int jpeg_decoder::huff_decode(huff_tables *pH, int& extra_bits) { int symbol; + JPGD_ASSERT(pH); + // Check first 8-bits: do we have a complete symbol? if ((symbol = pH->look_up2[m_bit_buf >> 24]) < 0) { @@ -526,7 +538,9 @@ inline int jpeg_decoder::huff_decode(huff_tables *pH, int& extra_bits) int ofs = 23; do { - symbol = pH->tree[-(int)(symbol + ((m_bit_buf >> ofs) & 1))]; + unsigned int idx = -(int)(symbol + ((m_bit_buf >> ofs) & 1)); + JPGD_ASSERT(idx < JPGD_HUFF_TREE_MAX_LENGTH); + symbol = pH->tree[idx]; ofs--; } while (symbol < 0); @@ -1497,6 +1511,12 @@ void jpeg_decoder::fix_in_buffer() void jpeg_decoder::transform_mcu(int mcu_row) { jpgd_block_t* pSrc_ptr = m_pMCU_coefficients; + if (m_freq_domain_chroma_upsample) { + JPGD_ASSERT(mcu_row * m_blocks_per_mcu < m_expanded_blocks_per_row); + } + else { + JPGD_ASSERT(mcu_row * m_blocks_per_mcu < m_max_blocks_per_row); + } uint8* pDst_ptr = m_pSample_buf + mcu_row * m_blocks_per_mcu * 64; for (int mcu_block = 0; mcu_block < m_blocks_per_mcu; mcu_block++) @@ -1652,6 +1672,7 @@ void jpeg_decoder::load_next_row() for (mcu_block = 0; mcu_block < m_blocks_per_mcu; mcu_block++) { component_id = m_mcu_org[mcu_block]; + JPGD_ASSERT(m_comp_quant[component_id] < JPGD_MAX_QUANT_TABLES); q = m_quant[m_comp_quant[component_id]]; p = m_pMCU_coefficients + 64 * mcu_block; @@ -1772,6 +1793,7 @@ void jpeg_decoder::decode_next_row() for (int mcu_block = 0; mcu_block < m_blocks_per_mcu; mcu_block++, p += 64) { int component_id = m_mcu_org[mcu_block]; + JPGD_ASSERT(m_comp_quant[component_id] < JPGD_MAX_QUANT_TABLES); jpgd_quant_t* q = m_quant[m_comp_quant[component_id]]; int r, s; @@ -2281,7 +2303,8 @@ void jpeg_decoder::make_huff_table(int index, huff_tables *pH) for (l = 1 << (8 - code_size); l > 0; l--) { - JPGD_ASSERT(i < 256); + JPGD_ASSERT(i < JPGD_HUFF_CODE_SIZE_MAX_LENGTH); + JPGD_ASSERT(code < JPGD_HUFF_CODE_SIZE_MAX_LENGTH); pH->look_up[code] = i; @@ -2331,16 +2354,19 @@ void jpeg_decoder::make_huff_table(int index, huff_tables *pH) if ((code & 0x8000) == 0) currententry--; - if (pH->tree[-currententry - 1] == 0) + unsigned int idx = -currententry - 1; + JPGD_ASSERT(idx < JPGD_HUFF_TREE_MAX_LENGTH); + if (pH->tree[idx] == 0) { - pH->tree[-currententry - 1] = nextfreeentry; + pH->tree[idx] = nextfreeentry; currententry = nextfreeentry; nextfreeentry -= 2; } - else - currententry = pH->tree[-currententry - 1]; + else { + currententry = pH->tree[idx]; + } code <<= 1; } @@ -2642,7 +2668,9 @@ void jpeg_decoder::decode_block_ac_first(jpeg_decoder *pD, int component_id, int for (k = pD->m_spectral_start; k <= pD->m_spectral_end; k++) { - s = pD->huff_decode(pD->m_pHuff_tabs[pD->m_comp_ac_tab[component_id]]); + unsigned int idx = pD->m_comp_ac_tab[component_id]; + JPGD_ASSERT(idx < JPGD_MAX_HUFF_TABLES); + s = pD->huff_decode(pD->m_pHuff_tabs[idx]); r = s >> 4; s &= 15; @@ -2685,7 +2713,6 @@ void jpeg_decoder::decode_block_ac_refine(jpeg_decoder *pD, int component_id, in int p1 = 1 << pD->m_successive_low; int m1 = (-1) << pD->m_successive_low; jpgd_block_t *p = pD->coeff_buf_getp(pD->m_ac_coeffs[component_id], block_x, block_y); - JPGD_ASSERT(pD->m_spectral_end <= 63); k = pD->m_spectral_start; @@ -2694,7 +2721,9 @@ void jpeg_decoder::decode_block_ac_refine(jpeg_decoder *pD, int component_id, in { for ( ; k <= pD->m_spectral_end; k++) { - s = pD->huff_decode(pD->m_pHuff_tabs[pD->m_comp_ac_tab[component_id]]); + unsigned int idx = pD->m_comp_ac_tab[component_id]; + JPGD_ASSERT(idx < JPGD_MAX_HUFF_TABLES); + s = pD->huff_decode(pD->m_pHuff_tabs[idx]); r = s >> 4; s &= 15; diff --git a/gdx/jni/gdx2d/stb_image.h b/gdx/jni/gdx2d/stb_image.h index a9d338a2a..1e48cc40d 100644 --- a/gdx/jni/gdx2d/stb_image.h +++ b/gdx/jni/gdx2d/stb_image.h @@ -965,6 +965,9 @@ static unsigned char *stbi__load_main(stbi__context *s, int *x, int *y, int *com #ifndef STBI_NO_HDR if (stbi__hdr_test(s)) { float *hdr = stbi__hdr_load(s, x,y,comp,req_comp); + if (hdr == NULL) { + return NULL; + } return stbi__hdr_to_ldr(hdr, *x, *y, req_comp ? req_comp : *comp); } #endif @@ -6046,7 +6049,11 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re } len <<= 8; len |= stbi__get8(s); - if (len != width) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("invalid decoded scanline length", "corrupt HDR"); } + if (len != width) { + STBI_FREE(hdr_data); + STBI_FREE(scanline); + return stbi__errpf("invalid decoded scanline length", "corrupt HDR"); + } if (scanline == NULL) scanline = (stbi_uc *) stbi__malloc(width * 4); for (k = 0; k < 4; ++k) { @@ -6057,9 +6064,19 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re // Run value = stbi__get8(s); count -= 128; + if (count >= width - i) { + STBI_FREE(hdr_data); + STBI_FREE(scanline); + return stbi__errpf("invalid buffer size", "corrupt HDR"); + } for (z = 0; z < count; ++z) scanline[i++ * 4 + k] = value; } else { + if (count >= width - i) { + STBI_FREE(hdr_data); + STBI_FREE(scanline); + return stbi__errpf("invalid buffer size", "corrupt HDR"); + } // Dump for (z = 0; z < count; ++z) scanline[i++ * 4 + k] = stbi__get8(s); |