commit ee16e573515981b285318c3d2db478d1a18d715d
author Brian Osman <brianosman@google.com> Thu Feb 13 10:13:59 2020 -0500
committer Skia Commit-Bot <skia-commit-bot@chromium.org> Thu Feb 13 16:25:22 2020 +0000
tree 34669e0a50aa802aaba7838fc665d57a9a7f00e5
parent d38f00a12a856c6ce41e659a2d02631d040a9204

Harden runtime shader/colorfilter CreateProc against bad child counts

Change-Id: I7d2f32a8cd4d373afddb2f1bfdb736e2979ec000
Bug: oss-fuzz:19883
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/270637
Reviewed-by: Mike Reed <reed@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>

src/core/SkColorFilter.cpp

diff --git a/src/core/SkColorFilter.cpp b/src/core/SkColorFilter.cpp
index 27d8bee..edd5869 100644
--- a/src/core/SkColorFilter.cpp
+++ b/src/core/SkColorFilter.cpp
@@ -484,17 +484,24 @@
     buffer.readString(&sksl);
     sk_sp<SkData> inputs = buffer.readByteArrayAsData();
 
-    std::vector<sk_sp<SkColorFilter>> children;
-    children.resize(buffer.read32());
-    for (size_t i = 0; i < children.size(); ++i) {
-        children[i] = buffer.readColorFilter();
-    }
-
     auto effect = std::get<0>(SkRuntimeEffect::Make(std::move(sksl)));
     if (!effect) {
+        buffer.validate(false);
         return nullptr;
     }
 
+    size_t childCount = buffer.read32();
+    if (childCount != effect->children().count()) {
+        buffer.validate(false);
+        return nullptr;
+    }
+
+    std::vector<sk_sp<SkColorFilter>> children;
+    children.resize(childCount);
+    for (size_t i = 0; i < children.size(); ++i) {
+        children[i] = buffer.readColorFilter();
+    }
+
     return effect->makeColorFilter(std::move(inputs), children.data(), children.size());
 }
 

src/shaders/SkRTShader.cpp

diff --git a/src/shaders/SkRTShader.cpp b/src/shaders/SkRTShader.cpp
index f1a32ed..3e961e0 100644
--- a/src/shaders/SkRTShader.cpp
+++ b/src/shaders/SkRTShader.cpp
@@ -110,17 +110,24 @@
         localMPtr = &localM;
     }
 
-    std::vector<sk_sp<SkShader>> children;
-    children.resize(buffer.read32());
-    for (size_t i = 0; i < children.size(); ++i) {
-        children[i] = buffer.readShader();
-    }
-
     auto effect = std::get<0>(SkRuntimeEffect::Make(std::move(sksl)));
     if (!effect) {
+        buffer.validate(false);
         return nullptr;
     }
 
+    size_t childCount = buffer.read32();
+    if (childCount != effect->children().count()) {
+        buffer.validate(false);
+        return nullptr;
+    }
+
+    std::vector<sk_sp<SkShader>> children;
+    children.resize(childCount);
+    for (size_t i = 0; i < children.size(); ++i) {
+        children[i] = buffer.readShader();
+    }
+
     return effect->makeShader(std::move(inputs), children.data(), children.size(), localMPtr,
                               isOpaque);
 }