Defend against ICOs with large BMPs embedded DO NOT MERGE am: 6029322ad7 am: a7857dd90c

am: c0e1e9fb47

Change-Id: Ife708718061f8b2ee1cd7968ff90fc54ea6e570e

3 files changed, 11 insertions, 3 deletions

diff --git a/resources/invalid_images/b38116746.ico b/resources/invalid_images/b38116746.ico
new file mode 100644
index 0000000000..35ee5b5a28
--- /dev/null
+++ b/resources/invalid_images/b38116746.ico
diff --git a/src/codec/SkIcoCodec.cpp b/src/codec/SkIcoCodec.cpp
index dc4222a43c..8b3d26dd86 100644
--- a/src/codec/SkIcoCodec.cpp
+++ b/src/codec/SkIcoCodec.cpp
@@ -14,6 +14,7 @@
 #include "SkStream.h"
 #include "SkTDArray.h"
 #include "SkTSort.h"
+#include "../private/SkTemplates.h"
 
 /*
  * Checks the start of the stream to see if the image is an Ico or Cur
@@ -128,12 +129,18 @@ SkCodec* SkIcoCodec::NewFromStream(SkStream* stream) {
         bytesRead = offset;
 
         // Create a new stream for the embedded codec
-        SkAutoTUnref<SkData> data(
-                SkData::NewFromStream(inputStream.get(), size));
-        if (nullptr == data.get()) {
+        SkAutoFree buffer(sk_malloc_flags(size, 0));
+        if (!buffer.get()) {
+            SkCodecPrintf("Warning: OOM trying to create embedded stream.\n");
+            break;
+        }
+
+        if (inputStream->read(buffer.get(), size) != size) {
             SkCodecPrintf("Warning: could not create embedded stream.\n");
             break;
         }
+
+        SkAutoTUnref<SkData> data(SkData::NewFromMalloc(buffer.detach(), size));
         SkAutoTDelete<SkMemoryStream> embeddedStream(new SkMemoryStream(data.get()));
         bytesRead += size;
 
diff --git a/tests/BadIcoTest.cpp b/tests/BadIcoTest.cpp
index c387e157be..f6b1c469cc 100644
--- a/tests/BadIcoTest.cpp
+++ b/tests/BadIcoTest.cpp
@@ -22,6 +22,7 @@ DEF_TEST(BadImage, reporter) {
         "ico_fuzz1.ico",
         "skbug3442.webp",
         "skbug3429.webp",
+        "b38116746.ico",
     };
 
     const char* badImagesFolder = "invalid_images";