cc: Avoid hardcoding size limits in paint deserialization.

Avoid using hardcoded size limits for ensuring sane memory allocations during paint deserializations. Instead make sure we don't allocate more than the remaining bytes to read. R=enne@chromium.org Bug: 924042 Change-Id: Ib4acf3a9d1887b71c7fa23a62f6ff138649f9042 Reviewed-on: https://chromium-review.googlesource.com/c/1427560 Commit-Queue: Khushal <khushalsagar@chromium.org> Commit-Queue: enne <enne@chromium.org> Auto-Submit: Khushal <khushalsagar@chromium.org> Reviewed-by: enne <enne@chromium.org> Cr-Commit-Position: refs/heads/master@{#625074}
Denger-Network · Jan 23, 2019 · 361a36b · 361a36b
1 parent 00d5413
commit 361a36b
Showing 1 changed file with 9 additions and 10 deletions.
diff --git a/cc/paint/paint_op_reader.cc b/cc/paint/paint_op_reader.cc
@@ -28,12 +28,6 @@
 namespace cc {
 namespace {
 
-// If we have more than this many colors, abort deserialization.
-const size_t kMaxShaderColorsSupported = 10000;
-const size_t kMaxMergeFilterCount = 10000;
-const size_t kMaxKernelSize = 1000;
-const size_t kMaxRegionByteSize = 10 * 1024;
-
 bool IsValidPaintShaderType(PaintShader::Type type) {
   return static_cast<uint8_t>(type) <
          static_cast<uint8_t>(PaintShader::Type::kShaderCount);
@@ -515,7 +509,7 @@ void PaintOpReader::Read(sk_sp<PaintShader>* shader) {
   ReadSize(&colors_size);
 
   // If there are too many colors, abort.
-  if (colors_size > kMaxShaderColorsSupported) {
+  if (colors_size > remaining_bytes_) {
     SetInvalid();
     return;
   }
@@ -910,7 +904,7 @@ void PaintOpReader::ReadMatrixConvolutionPaintFilter(
     return;
   auto size =
       static_cast<size_t>(sk_64_mul(kernel_size.width(), kernel_size.height()));
-  if (size > kMaxKernelSize) {
+  if (size > remaining_bytes_) {
     SetInvalid();
     return;
   }
@@ -1009,7 +1003,12 @@ void PaintOpReader::ReadMergePaintFilter(
     const base::Optional<PaintFilter::CropRect>& crop_rect) {
   size_t input_count = 0;
   ReadSimple(&input_count);
-  if (input_count > kMaxMergeFilterCount)
+
+  // The minimum size for a serialized filter is 4 bytes (a zero uint32_t to
+  // indicate a null filter). Make sure the |input_count| doesn't exceed the
+  // maximum number of filters possible for the remaining data.
+  const size_t max_filters = remaining_bytes_ / 4u;
+  if (input_count > max_filters)
     SetInvalid();
   if (!valid_)
     return;
@@ -1272,7 +1271,7 @@ size_t PaintOpReader::Read(sk_sp<PaintRecord>* record) {
 void PaintOpReader::Read(SkRegion* region) {
   size_t region_bytes = 0;
   ReadSize(&region_bytes);
-  if (region_bytes == 0 || region_bytes > kMaxRegionByteSize)
+  if (region_bytes == 0 || region_bytes > remaining_bytes_)
     SetInvalid();
   if (!valid_)
     return;