commit 984d49667a85ae942ba1e18cf1be5ec9b18d15a2
author Mike Klein <mtklein@google.com> Wed Aug 12 10:17:48 2020 -0500
committer Skia Commit-Bot <skia-commit-bot@chromium.org> Thu Aug 13 14:56:41 2020 +0000
tree 4fb9b388b4f30afe054c7d9912f119893b2c9c1a
parent 53ff19c85290ac1e2a51fba844188051b0608af0

deserialize SkCanvas::SrcRectConstraint safely

Bug: oss-fuzz:24764
Change-Id: I86b935850158780d5f65be025ffd16f704984806
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/309695
Auto-Submit: Mike Klein <mtklein@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
Commit-Queue: Mike Klein <mtklein@google.com>

src/core/SkPicturePlayback.cpp

diff --git a/src/core/SkPicturePlayback.cpp b/src/core/SkPicturePlayback.cpp
index bd7e9a9..bb2b027 100644
--- a/src/core/SkPicturePlayback.cpp
+++ b/src/core/SkPicturePlayback.cpp
@@ -291,8 +291,10 @@
                 break;
             }
             const SkPaint* paint = fPictureData->optionalPaint(reader);
+
             SkCanvas::SrcRectConstraint constraint =
-                    static_cast<SkCanvas::SrcRectConstraint>(reader->readInt());
+                    reader->checkRange(SkCanvas::kStrict_SrcRectConstraint,
+                                       SkCanvas::kFast_SrcRectConstraint);
 
             if (!reader->validate(SkSafeMath::Mul(cnt, kEntryReadSize) <= reader->available())) {
                 break;
@@ -388,7 +390,8 @@
             SkCanvas::SrcRectConstraint constraint = SkCanvas::kStrict_SrcRectConstraint;
             if (DRAW_IMAGE_RECT == op) {
                 // newer op-code stores the constraint explicitly
-                constraint = (SkCanvas::SrcRectConstraint)reader->readInt();
+                constraint = reader->checkRange(SkCanvas::kStrict_SrcRectConstraint,
+                                                SkCanvas::kFast_SrcRectConstraint);
             }
             BREAK_ON_READ_ERROR(reader);