diff options
| author | Leon Scroggins III <scroggo@google.com> | 2018-10-22 13:16:37 -0400 |
|---|---|---|
| committer | Atanas Kirilov <akirilov@google.com> | 2018-11-16 21:43:57 +0000 |
| commit | 8adcfda1344480c277f8f3dc3e76ff4c119a80a7 (patch) | |
| tree | 05337cbdcf144d0c3e13e957ec472ceb8a47ac7c | |
| parent | b9305bf7754242a7a709133fdfbef6528c8e4797 (diff) | |
| download | skia-8adcfda1344480c277f8f3dc3e76ff4c119a80a7.tar.gz | |
RESTRICT AUTOMERGE: Fix heap buffer overflow
Bug: b/118143775
Bug: oss-fuzz:11040
Because we're sampling, the offset ends up the same as the width. Back
up to the left enough to fit the bytes we will write.
Include SafetyNet logging from
https://skia-review.googlesource.com/c/skia/+/171227
Note: SafetyNet logging code revised since the actual API is missing,
but it's functionally identical
Test: run cts -m CtsSecurityTestCases -t android.security.cts.BitmapFactorySecurityTests#test_android_bug_118143775
Change-Id: Ie476a0191b66c2322446b9c0922f630d6e971645
| -rw-r--r-- | src/codec/SkSwizzler.cpp | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/src/codec/SkSwizzler.cpp b/src/codec/SkSwizzler.cpp index 31fc063aec..bf9c5496a6 100644 --- a/src/codec/SkSwizzler.cpp +++ b/src/codec/SkSwizzler.cpp @@ -12,6 +12,10 @@ #include "SkSwizzler.h" #include "SkTemplates.h" +#ifdef SK_BUILD_FOR_ANDROID_FRAMEWORK + #include "SkAndroidFrameworkUtils.h" +#endif + static void copy(void* dst, const uint8_t* src, int width, int bpp, int deltaSrc, int offset, const SkPMColor ctable[]) { // This function must not be called if we are sampling. If we are not @@ -1250,6 +1254,18 @@ int SkSwizzler::onSetSampleX(int sampleX) { fSwizzleWidth = get_scaled_dimension(fSrcWidth, sampleX); fAllocatedWidth = get_scaled_dimension(fDstWidth, sampleX); + if (fDstOffsetBytes > 0) { + const size_t dstSwizzleBytes = fSwizzleWidth * fDstBPP; + const size_t dstAllocatedBytes = fAllocatedWidth * fDstBPP; + if (fDstOffsetBytes + dstSwizzleBytes > dstAllocatedBytes) { +#ifdef SK_BUILD_FOR_ANDROID_FRAMEWORK + SkAndroidFrameworkUtils::SafetyNetLog("118143775"); +#endif + SkASSERT(dstSwizzleBytes < dstAllocatedBytes); + fDstOffsetBytes = dstAllocatedBytes - dstSwizzleBytes; + } + } + // The optimized swizzler functions do not support sampling. Sampled swizzles // are already fast because they skip pixels. We haven't seen a situation // where speeding up sampling has a significant impact on total decode time. |