Defend against ICOs with large BMPs embedded DO NOT MERGE am: 6029322ad7 am: a7857dd90c
am: c0e1e9fb47
Change-Id: Ife708718061f8b2ee1cd7968ff90fc54ea6e570e
diff --git a/resources/invalid_images/b38116746.ico b/resources/invalid_images/b38116746.ico
new file mode 100644
index 0000000..35ee5b5
--- /dev/null
+++ b/resources/invalid_images/b38116746.ico
Binary files differ
diff --git a/src/codec/SkIcoCodec.cpp b/src/codec/SkIcoCodec.cpp
index dc4222a..8b3d26d 100644
--- a/src/codec/SkIcoCodec.cpp
+++ b/src/codec/SkIcoCodec.cpp
@@ -14,6 +14,7 @@
#include "SkStream.h"
#include "SkTDArray.h"
#include "SkTSort.h"
+#include "../private/SkTemplates.h"
/*
* Checks the start of the stream to see if the image is an Ico or Cur
@@ -128,12 +129,18 @@
bytesRead = offset;
// Create a new stream for the embedded codec
- SkAutoTUnref<SkData> data(
- SkData::NewFromStream(inputStream.get(), size));
- if (nullptr == data.get()) {
+ SkAutoFree buffer(sk_malloc_flags(size, 0));
+ if (!buffer.get()) {
+ SkCodecPrintf("Warning: OOM trying to create embedded stream.\n");
+ break;
+ }
+
+ if (inputStream->read(buffer.get(), size) != size) {
SkCodecPrintf("Warning: could not create embedded stream.\n");
break;
}
+
+ SkAutoTUnref<SkData> data(SkData::NewFromMalloc(buffer.detach(), size));
SkAutoTDelete<SkMemoryStream> embeddedStream(new SkMemoryStream(data.get()));
bytesRead += size;
diff --git a/tests/BadIcoTest.cpp b/tests/BadIcoTest.cpp
index c387e15..f6b1c46 100644
--- a/tests/BadIcoTest.cpp
+++ b/tests/BadIcoTest.cpp
@@ -22,6 +22,7 @@
"ico_fuzz1.ico",
"skbug3442.webp",
"skbug3429.webp",
+ "b38116746.ico",
};
const char* badImagesFolder = "invalid_images";
