check for bad buffers in Unpack8
Bug:799918
Change-Id: I0502a487d67ce757bf818823cf0ad46b7703294c
Reviewed-on: https://skia-review.googlesource.com/92841
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Florin Malita <fmalita@chromium.org>
diff --git a/src/effects/SkPackBits.cpp b/src/effects/SkPackBits.cpp
index 286d9d1..d2dfed9 100644
--- a/src/effects/SkPackBits.cpp
+++ b/src/effects/SkPackBits.cpp
@@ -88,13 +88,13 @@
unsigned n = *src++;
if (n <= 127) { // repeat count (n + 1)
n += 1;
- if (dst >(endDst - n)) {
+ if (dst > (endDst - n) || src >= stop) {
return 0;
}
memset(dst, *src++, n);
} else { // same count (n - 127)
n -= 127;
- if (dst > (endDst - n)) {
+ if (dst > (endDst - n) || src > (stop - n)) {
return 0;
}
memcpy(dst, src, n);
@@ -103,5 +103,6 @@
dst += n;
}
SkASSERT(src <= stop);
+ SkASSERT(dst <= endDst);
return SkToInt(dst - origDst);
}
diff --git a/src/effects/SkPackBits.h b/src/effects/SkPackBits.h
index 2dc7677..773b13e 100644
--- a/src/effects/SkPackBits.h
+++ b/src/effects/SkPackBits.h
@@ -36,7 +36,7 @@
@param srcSize Number of bytes of src to unpack
@param dst Buffer (allocated by caller) to expand the src[] into.
@param dstSize Number of bytes in the output buffer.
- @return the number of bytes written into dst.
+ @return the number of bytes written into dst, or 0 if srcSize or dstSize are too small.
*/
static int Unpack8(const uint8_t src[], size_t srcSize, uint8_t dst[],
size_t dstSize);