diff options
| author | Mike Reed <reed@google.com> | 2018-02-01 10:48:59 -0500 |
|---|---|---|
| committer | Skia Commit-Bot <skia-commit-bot@chromium.org> | 2018-02-01 16:08:13 +0000 |
| commit | d2bc6207ba80c3babdb115bee7a9bbcf3c91be2e (patch) | |
| tree | 7501e6117536d81dfea3bfd19f92e0275573b78d /src | |
| parent | e735200d34ec0b995bbc3fb67c754e5b19e466fc (diff) | |
| download | skqp-d2bc6207ba80c3babdb115bee7a9bbcf3c91be2e.tar.gz | |
validate indices for vertices
Bug: skia:7565
Change-Id: If5366cc0f5c9ce328376b9721b454b9160bf6764
Reviewed-on: https://skia-review.googlesource.com/102203
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Robert Phillips <robertphillips@google.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/SkSafeRange.h | 8 | ||||
| -rw-r--r-- | src/core/SkVertices.cpp | 21 |
2 files changed, 24 insertions, 5 deletions
diff --git a/src/core/SkSafeRange.h b/src/core/SkSafeRange.h index c640ffdd5c..ef068c2ab0 100644 --- a/src/core/SkSafeRange.h +++ b/src/core/SkSafeRange.h @@ -30,6 +30,14 @@ public: return static_cast<T>(value); } + int checkGE(int value, int min) { + if (value < min) { + fOK = false; + value = min; + } + return value; + } + private: bool fOK = true; }; diff --git a/src/core/SkVertices.cpp b/src/core/SkVertices.cpp index 08edca08fe..7253109a82 100644 --- a/src/core/SkVertices.cpp +++ b/src/core/SkVertices.cpp @@ -199,15 +199,17 @@ sk_sp<SkVertices> SkVertices::Decode(const void* data, size_t length) { SkSafeRange safe; const uint32_t packed = reader.readInt(); - const int vertexCount = reader.readInt(); - const int indexCount = reader.readInt(); - + const int vertexCount = safe.checkGE(reader.readInt(), 0); + const int indexCount = safe.checkGE(reader.readInt(), 0); const VertexMode mode = safe.checkLE<VertexMode>(packed & kMode_Mask, SkVertices::kLast_VertexMode); + if (!safe) { + return nullptr; + } const bool hasTexs = SkToBool(packed & kHasTexs_Mask); const bool hasColors = SkToBool(packed & kHasColors_Mask); Sizes sizes(vertexCount, indexCount, hasTexs, hasColors); - if (!sizes.isValid() || !safe) { + if (!sizes.isValid()) { return nullptr; } // logically we can be only 2-byte aligned, but our buffer is always 4-byte aligned @@ -221,6 +223,15 @@ sk_sp<SkVertices> SkVertices::Decode(const void* data, size_t length) { reader.read(builder.texCoords(), sizes.fTSize); reader.read(builder.colors(), sizes.fCSize); reader.read(builder.indices(), sizes.fISize); - + if (indexCount > 0) { + // validate that the indicies are in range + SkASSERT(indexCount == builder.indexCount()); + const uint16_t* indices = builder.indices(); + for (int i = 0; i < indexCount; ++i) { + if (indices[i] >= (unsigned)vertexCount) { + return nullptr; + } + } + } return builder.detach(); } |