From 7a9ded60736743f2a113e573b709cd2f6ea2b8ce Mon Sep 17 00:00:00 2001 From: Leon Scroggins III Date: Mon, 22 Oct 2018 13:16:37 -0400 Subject: RESTRICT AUTOMERGE: Fix heap buffer overflow Bug: b/118143775 Bug: oss-fuzz:11040 Because we're sampling, the offset ends up the same as the width. Back up to the left enough to fit the bytes we will write. Include SafetyNet logging from https://skia-review.googlesource.com/c/skia/+/171227 Test: not feasible Change-Id: Ie476a0191b66c2322446b9c0922f630d6e971645 (cherry picked from commit 07fd41b8234d40e9372604ae3779bda5d760ffc4) --- src/codec/SkSwizzler.cpp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/codec/SkSwizzler.cpp b/src/codec/SkSwizzler.cpp index 133736879f..f4be612c4d 100644 --- a/src/codec/SkSwizzler.cpp +++ b/src/codec/SkSwizzler.cpp @@ -11,6 +11,10 @@ #include "SkSwizzler.h" #include "SkTemplates.h" +#ifdef SK_BUILD_FOR_ANDROID_FRAMEWORK + #include "SkAndroidFrameworkUtils.h" +#endif + static void copy(void* dst, const uint8_t* src, int width, int bpp, int deltaSrc, int offset, const SkPMColor ctable[]) { // This function must not be called if we are sampling. If we are not @@ -937,6 +941,18 @@ int SkSwizzler::onSetSampleX(int sampleX) { fSwizzleWidth = get_scaled_dimension(fSrcWidth, sampleX); fAllocatedWidth = get_scaled_dimension(fDstWidth, sampleX); + if (fDstOffsetBytes > 0) { + const size_t dstSwizzleBytes = fSwizzleWidth * fDstBPP; + const size_t dstAllocatedBytes = fAllocatedWidth * fDstBPP; + if (fDstOffsetBytes + dstSwizzleBytes > dstAllocatedBytes) { +#ifdef SK_BUILD_FOR_ANDROID_FRAMEWORK + SkAndroidFrameworkUtils::SafetyNetLog("118143775"); +#endif + SkASSERT(dstSwizzleBytes < dstAllocatedBytes); + fDstOffsetBytes = dstAllocatedBytes - dstSwizzleBytes; + } + } + // The optimized swizzler functions do not support sampling. Sampled swizzles // are already fast because they skip pixels. We haven't seen a situation // where speeding up sampling has a significant impact on total decode time. -- cgit v1.2.3