Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(154)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/core/SkColorSpace_ICC.cpp

Issue 2434563007: Fixed potential read-out-of-bounds issue in ICC profile loading (Closed)
Patch Set: Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright 2016 Google Inc. 2 * Copyright 2016 Google Inc.
3 * 3 *
4 * Use of this source code is governed by a BSD-style license that can be 4 * Use of this source code is governed by a BSD-style license that can be
5 * found in the LICENSE file. 5 * found in the LICENSE file.
6 */ 6 */
7 7
8 #include "SkColorSpace.h" 8 #include "SkColorSpace.h"
9 #include "SkColorSpace_A2B.h" 9 #include "SkColorSpace_A2B.h"
10 #include "SkColorSpace_Base.h" 10 #include "SkColorSpace_Base.h"
(...skipping 638 matching lines...) Expand 10 before | Expand all | Expand 10 after
649 649
650 // Movable struct colorLUT has ownership of fTable. 650 // Movable struct colorLUT has ownership of fTable.
651 void* memory = sk_malloc_throw(sizeof(SkColorLookUpTable) + sizeof(float) * numEntries); 651 void* memory = sk_malloc_throw(sizeof(SkColorLookUpTable) + sizeof(float) * numEntries);
652 *colorLUT = sk_sp<SkColorLookUpTable>(new (memory) SkColorLookUpTable(inputC hannels, 652 *colorLUT = sk_sp<SkColorLookUpTable>(new (memory) SkColorLookUpTable(inputC hannels,
653 gridPo ints)); 653 gridPo ints));
654 654
655 float* table = SkTAddOffset<float>(memory, sizeof(SkColorLookUpTable)); 655 float* table = SkTAddOffset<float>(memory, sizeof(SkColorLookUpTable));
656 const uint8_t* ptr = src + kColorLUTHeaderSize; 656 const uint8_t* ptr = src + kColorLUTHeaderSize;
657 for (uint32_t i = 0; i < numEntries; i++, ptr += precision) { 657 for (uint32_t i = 0; i < numEntries; i++, ptr += precision) {
658 if (1 == precision) { 658 if (1 == precision) {
659 table[i] = ((float) ptr[i]) / 255.0f; 659 table[i] = ((float) *ptr) / 255.0f;
660 } else { 660 } else {
661 table[i] = ((float) read_big_endian_u16(ptr)) / 65535.0f; 661 table[i] = ((float) read_big_endian_u16(ptr)) / 65535.0f;
662 } 662 }
663 } 663 }
664 664
665 return true; 665 return true;
666 } 666 }
667 667
668 static bool load_matrix(SkMatrix44* toXYZ, const uint8_t* src, size_t len) { 668 static bool load_matrix(SkMatrix44* toXYZ, const uint8_t* src, size_t len) {
669 if (len < 48) { 669 if (len < 48) {
(...skipping 678 matching lines...) Expand 10 before | Expand all | Expand 10 after
1348 ptr32[4] = SkEndian_SwapBE32(0x000116cc); 1348 ptr32[4] = SkEndian_SwapBE32(0x000116cc);
1349 ptr += kTAG_XYZ_Bytes; 1349 ptr += kTAG_XYZ_Bytes;
1350 1350
1351 // Write copyright tag 1351 // Write copyright tag
1352 memcpy(ptr, gEmptyTextTag, sizeof(gEmptyTextTag)); 1352 memcpy(ptr, gEmptyTextTag, sizeof(gEmptyTextTag));
1353 1353
1354 // TODO (msarett): Should we try to hold onto the data so we can return imme diately if 1354 // TODO (msarett): Should we try to hold onto the data so we can return imme diately if
1355 // the client calls again? 1355 // the client calls again?
1356 return SkData::MakeFromMalloc(profile.release(), kICCProfileSize); 1356 return SkData::MakeFromMalloc(profile.release(), kICCProfileSize);
1357 } 1357 }
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698