Merge crrev.com/1151663002 into M44.
Patched nearly cleanly, with some cosmetic conflics in SkPicture.h.
Original change:
Don't serialize SkPictures in SkPictureShaders when in untrusted mode.
This requires we "first" add a has-picture bool to SkPictureShader serialized format.
BUG=chromium:486947, billions and billions of others.
Review URL: https://codereview.chromium.org/1151663002
NOTREECHECKS=true
NOTRY=true
NOPRESUBMIT=true
TBR=reed@google.com
Review URL: https://codereview.chromium.org/1231433004
diff --git a/include/core/SkPicture.h b/include/core/SkPicture.h
index 9a2b65b..f845e94 100644
--- a/include/core/SkPicture.h
+++ b/include/core/SkPicture.h
@@ -242,13 +242,14 @@
// V39: Added FilterLevel option to SkPictureImageFilter
// V40: Remove UniqueID serialization from SkImageFilter.
// V41: Added serialization of SkBitmapSource's filterQuality parameter
+ // V42: Added a bool to SkPictureShader serialization to indicate did-we-serialize-a-picture?
// Note: If the picture version needs to be increased then please follow the
// steps to generate new SKPs in (only accessible to Googlers): http://goo.gl/qATVcw
// Only SKPs within the min/current picture version range (inclusive) can be read.
- static const uint32_t MIN_PICTURE_VERSION = 35; // Produced by Chrome M39.
- static const uint32_t CURRENT_PICTURE_VERSION = 41;
+ static const uint32_t MIN_PICTURE_VERSION = 35; // Produced by Chrome M39.
+ static const uint32_t CURRENT_PICTURE_VERSION = 42;
static_assert(MIN_PICTURE_VERSION <= 41,
"Remove kFontFileName and related code from SkFontDescriptor.cpp.");
diff --git a/src/core/SkPictureShader.cpp b/src/core/SkPictureShader.cpp
index c1c4755..7efef21 100644
--- a/src/core/SkPictureShader.cpp
+++ b/src/core/SkPictureShader.cpp
@@ -122,6 +122,8 @@
return SkNEW_ARGS(SkPictureShader, (picture, tmx, tmy, localMatrix, tile));
}
+// TODO: rename SK_DISALLOW_CROSSPROCESS_PICTUREIMAGEFILTERS to SK_DISALLOW_CROSSPROCESS_PICTURES
+
SkFlattenable* SkPictureShader::CreateProc(SkReadBuffer& buffer) {
SkMatrix lm;
buffer.readMatrix(&lm);
@@ -129,7 +131,27 @@
TileMode my = (TileMode)buffer.read32();
SkRect tile;
buffer.readRect(&tile);
- SkAutoTUnref<SkPicture> picture(SkPicture::CreateFromBuffer(buffer));
+
+ SkAutoTUnref<SkPicture> picture;
+#ifdef SK_DISALLOW_CROSSPROCESS_PICTUREIMAGEFILTERS
+ if (buffer.isCrossProcess()) {
+ if (buffer.isVersionLT(SkReadBuffer::kPictureShaderHasPictureBool_Version)) {
+ // Older code blindly serialized pictures. We don't trust them.
+ buffer.validate(false);
+ return NULL;
+ }
+ // Newer code won't serialize pictures in disallow-cross-process-picture mode.
+ // Assert that they didn't serialize anything except a false here.
+ buffer.validate(!buffer.readBool());
+ } else
+#endif
+ {
+ // Old code always serialized the picture. New code writes a 'true' first if it did.
+ if (buffer.isVersionLT(SkReadBuffer::kPictureShaderHasPictureBool_Version) ||
+ buffer.readBool()) {
+ picture.reset(SkPicture::CreateFromBuffer(buffer));
+ }
+ }
return SkPictureShader::Create(picture, mx, my, &lm, &tile);
}
@@ -138,7 +160,18 @@
buffer.write32(fTmx);
buffer.write32(fTmy);
buffer.writeRect(fTile);
- fPicture->flatten(buffer);
+
+#ifdef SK_DISALLOW_CROSSPROCESS_PICTUREIMAGEFILTERS
+ // The deserialization code won't trust that our serialized picture is safe to deserialize.
+ // So write a 'false' telling it that we're not serializing a picture.
+ if (buffer.isCrossProcess()) {
+ buffer.writeBool(false);
+ } else
+#endif
+ {
+ buffer.writeBool(true);
+ fPicture->flatten(buffer);
+ }
}
SkShader* SkPictureShader::refBitmapShader(const SkMatrix& matrix, const SkMatrix* localM,
diff --git a/src/core/SkReadBuffer.h b/src/core/SkReadBuffer.h
index 1299eda..ba47835 100644
--- a/src/core/SkReadBuffer.h
+++ b/src/core/SkReadBuffer.h
@@ -56,7 +56,8 @@
kPictureImageFilterResolution_Version = 38,
kPictureImageFilterLevel_Version = 39,
kImageFilterNoUniqueID_Version = 40,
- kBitmapSourceFilterQuality_Version = 41
+ kBitmapSourceFilterQuality_Version = 41,
+ kPictureShaderHasPictureBool_Version = 42,
};
/**