diff options
author | Leon Scroggins III <scroggo@google.com> | 2017-06-16 16:25:03 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2017-06-16 16:25:03 +0000 |
commit | c0e1e9fb472e8d27d55b8bdce8b48dd617b24f29 (patch) | |
tree | d43b3a99ec9feff195c9227868c823164eb443a8 | |
parent | 6bcf8398db5a57e0f92100e7e60cbdfb66a3979c (diff) | |
parent | a7857dd90c8fcf140768715f28d85a113701fc12 (diff) | |
download | skia-c0e1e9fb472e8d27d55b8bdce8b48dd617b24f29.tar.gz |
Defend against ICOs with large BMPs embedded DO NOT MERGE am: 6029322ad7
am: a7857dd90c
Change-Id: Idbe1b7495c9f4ebdd4363153cd916b2716cd621b
-rw-r--r-- | resources/invalid_images/b38116746.ico | bin | 0 -> 1024 bytes | |||
-rw-r--r-- | src/codec/SkIcoCodec.cpp | 13 | ||||
-rw-r--r-- | tests/BadIcoTest.cpp | 1 |
3 files changed, 11 insertions, 3 deletions
diff --git a/resources/invalid_images/b38116746.ico b/resources/invalid_images/b38116746.ico Binary files differnew file mode 100644 index 0000000000..35ee5b5a28 --- /dev/null +++ b/resources/invalid_images/b38116746.ico diff --git a/src/codec/SkIcoCodec.cpp b/src/codec/SkIcoCodec.cpp index dc4222a43c..8b3d26dd86 100644 --- a/src/codec/SkIcoCodec.cpp +++ b/src/codec/SkIcoCodec.cpp @@ -14,6 +14,7 @@ #include "SkStream.h" #include "SkTDArray.h" #include "SkTSort.h" +#include "../private/SkTemplates.h" /* * Checks the start of the stream to see if the image is an Ico or Cur @@ -128,12 +129,18 @@ SkCodec* SkIcoCodec::NewFromStream(SkStream* stream) { bytesRead = offset; // Create a new stream for the embedded codec - SkAutoTUnref<SkData> data( - SkData::NewFromStream(inputStream.get(), size)); - if (nullptr == data.get()) { + SkAutoFree buffer(sk_malloc_flags(size, 0)); + if (!buffer.get()) { + SkCodecPrintf("Warning: OOM trying to create embedded stream.\n"); + break; + } + + if (inputStream->read(buffer.get(), size) != size) { SkCodecPrintf("Warning: could not create embedded stream.\n"); break; } + + SkAutoTUnref<SkData> data(SkData::NewFromMalloc(buffer.detach(), size)); SkAutoTDelete<SkMemoryStream> embeddedStream(new SkMemoryStream(data.get())); bytesRead += size; diff --git a/tests/BadIcoTest.cpp b/tests/BadIcoTest.cpp index c387e157be..f6b1c469cc 100644 --- a/tests/BadIcoTest.cpp +++ b/tests/BadIcoTest.cpp @@ -22,6 +22,7 @@ DEF_TEST(BadImage, reporter) { "ico_fuzz1.ico", "skbug3442.webp", "skbug3429.webp", + "b38116746.ico", }; const char* badImagesFolder = "invalid_images"; |