blob: ff78b74a34a2f3ca905c5bfe1efd36e4bbaa477b [file] [log] [blame]
/*
* Copyright 2012 Google Inc.
*
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#include "include/core/SkBitmap.h"
#include "include/core/SkData.h"
#include "include/core/SkImage.h"
#include "include/core/SkImageGenerator.h"
#include "include/core/SkStream.h"
#include "include/core/SkTypeface.h"
#include "src/core/SkAutoMalloc.h"
#include "src/core/SkMakeUnique.h"
#include "src/core/SkMathPriv.h"
#include "src/core/SkMatrixPriv.h"
#include "src/core/SkReadBuffer.h"
#include "src/core/SkSafeMath.h"
#ifndef SK_DISABLE_READBUFFER
namespace {
// This generator intentionally should always fail on all attempts to get its pixels,
// simulating a bad or empty codec stream.
class EmptyImageGenerator final : public SkImageGenerator {
public:
EmptyImageGenerator(const SkImageInfo& info) : INHERITED(info) { }
private:
typedef SkImageGenerator INHERITED;
};
static sk_sp<SkImage> MakeEmptyImage(int width, int height) {
return SkImage::MakeFromGenerator(
skstd::make_unique<EmptyImageGenerator>(SkImageInfo::MakeN32Premul(width, height)));
}
} // anonymous namespace
SkReadBuffer::SkReadBuffer() {
fVersion = 0;
fTFArray = nullptr;
fTFCount = 0;
fFactoryArray = nullptr;
fFactoryCount = 0;
}
SkReadBuffer::SkReadBuffer(const void* data, size_t size) {
fVersion = 0;
this->setMemory(data, size);
fTFArray = nullptr;
fTFCount = 0;
fFactoryArray = nullptr;
fFactoryCount = 0;
}
void SkReadBuffer::setMemory(const void* data, size_t size) {
this->validate(IsPtrAlign4(data) && (SkAlign4(size) == size));
if (!fError) {
fReader.setMemory(data, size);
}
}
void SkReadBuffer::setInvalid() {
if (!fError) {
// When an error is found, send the read cursor to the end of the stream
fReader.skip(fReader.available());
fError = true;
}
}
const void* SkReadBuffer::skip(size_t size) {
size_t inc = SkAlign4(size);
this->validate(inc >= size);
const void* addr = fReader.peek();
this->validate(IsPtrAlign4(addr) && fReader.isAvailable(inc));
if (fError) {
return nullptr;
}
fReader.skip(size);
return addr;
}
const void* SkReadBuffer::skip(size_t count, size_t size) {
return this->skip(SkSafeMath::Mul(count, size));
}
void SkReadBuffer::setDeserialProcs(const SkDeserialProcs& procs) {
fProcs = procs;
}
bool SkReadBuffer::readBool() {
uint32_t value = this->readUInt();
// Boolean value should be either 0 or 1
this->validate(!(value & ~1));
return value != 0;
}
SkColor SkReadBuffer::readColor() {
return this->readUInt();
}
int32_t SkReadBuffer::readInt() {
const size_t inc = sizeof(int32_t);
this->validate(IsPtrAlign4(fReader.peek()) && fReader.isAvailable(inc));
return fError ? 0 : fReader.readInt();
}
SkScalar SkReadBuffer::readScalar() {
const size_t inc = sizeof(SkScalar);
this->validate(IsPtrAlign4(fReader.peek()) && fReader.isAvailable(inc));
return fError ? 0 : fReader.readScalar();
}
uint32_t SkReadBuffer::readUInt() {
return this->readInt();
}
int32_t SkReadBuffer::read32() {
return this->readInt();
}
uint8_t SkReadBuffer::peekByte() {
if (fReader.available() <= 0) {
fError = true;
return 0;
}
return *((uint8_t*) fReader.peek());
}
bool SkReadBuffer::readPad32(void* buffer, size_t bytes) {
if (const void* src = this->skip(bytes)) {
memcpy(buffer, src, bytes);
return true;
}
return false;
}
const char* SkReadBuffer::readString(size_t* len) {
*len = this->readUInt();
// The string is len characters and a terminating \0.
const char* c_str = this->skipT<char>(*len+1);
if (this->validate(c_str && c_str[*len] == '\0')) {
return c_str;
}
return nullptr;
}
void SkReadBuffer::readString(SkString* string) {
size_t len;
if (const char* c_str = this->readString(&len)) {
string->set(c_str, len);
return;
}
string->reset();
}
void SkReadBuffer::readColor4f(SkColor4f* color) {
if (!this->readPad32(color, sizeof(SkColor4f))) {
*color = {0, 0, 0, 0};
}
}
void SkReadBuffer::readPoint(SkPoint* point) {
point->fX = this->readScalar();
point->fY = this->readScalar();
}
void SkReadBuffer::readPoint3(SkPoint3* point) {
this->readPad32(point, sizeof(SkPoint3));
}
void SkReadBuffer::readMatrix(SkMatrix* matrix) {
size_t size = 0;
if (this->isValid()) {
size = SkMatrixPriv::ReadFromMemory(matrix, fReader.peek(), fReader.available());
(void)this->validate((SkAlign4(size) == size) && (0 != size));
}
if (!this->isValid()) {
matrix->reset();
}
(void)this->skip(size);
}
void SkReadBuffer::readIRect(SkIRect* rect) {
if (!this->readPad32(rect, sizeof(SkIRect))) {
rect->setEmpty();
}
}
void SkReadBuffer::readRect(SkRect* rect) {
if (!this->readPad32(rect, sizeof(SkRect))) {
rect->setEmpty();
}
}
void SkReadBuffer::readRRect(SkRRect* rrect) {
if (!this->validate(fReader.readRRect(rrect))) {
rrect->setEmpty();
}
}
void SkReadBuffer::readRegion(SkRegion* region) {
size_t size = 0;
if (!fError) {
size = region->readFromMemory(fReader.peek(), fReader.available());
if (!this->validate((SkAlign4(size) == size) && (0 != size))) {
region->setEmpty();
}
}
(void)this->skip(size);
}
void SkReadBuffer::readPath(SkPath* path) {
size_t size = 0;
if (!fError) {
size = path->readFromMemory(fReader.peek(), fReader.available());
if (!this->validate((SkAlign4(size) == size) && (0 != size))) {
path->reset();
}
}
(void)this->skip(size);
}
bool SkReadBuffer::readArray(void* value, size_t size, size_t elementSize) {
const uint32_t count = this->readUInt();
return this->validate(size == count) &&
this->readPad32(value, SkSafeMath::Mul(size, elementSize));
}
bool SkReadBuffer::readByteArray(void* value, size_t size) {
return this->readArray(value, size, sizeof(uint8_t));
}
bool SkReadBuffer::readColorArray(SkColor* colors, size_t size) {
return this->readArray(colors, size, sizeof(SkColor));
}
bool SkReadBuffer::readColor4fArray(SkColor4f* colors, size_t size) {
return this->readArray(colors, size, sizeof(SkColor4f));
}
bool SkReadBuffer::readIntArray(int32_t* values, size_t size) {
return this->readArray(values, size, sizeof(int32_t));
}
bool SkReadBuffer::readPointArray(SkPoint* points, size_t size) {
return this->readArray(points, size, sizeof(SkPoint));
}
bool SkReadBuffer::readScalarArray(SkScalar* values, size_t size) {
return this->readArray(values, size, sizeof(SkScalar));
}
sk_sp<SkData> SkReadBuffer::readByteArrayAsData() {
size_t numBytes = this->getArrayCount();
if (!this->validate(fReader.isAvailable(numBytes))) {
return nullptr;
}
SkAutoMalloc buffer(numBytes);
if (!this->readByteArray(buffer.get(), numBytes)) {
return nullptr;
}
return SkData::MakeFromMalloc(buffer.release(), numBytes);
}
uint32_t SkReadBuffer::getArrayCount() {
const size_t inc = sizeof(uint32_t);
fError = fError || !IsPtrAlign4(fReader.peek()) || !fReader.isAvailable(inc);
return fError ? 0 : *(uint32_t*)fReader.peek();
}
/* Format:
* (subset) width, height
* (subset) origin x, y
* size (31bits)
* data [ encoded, with raw width/height ]
*/
sk_sp<SkImage> SkReadBuffer::readImage() {
SkIRect bounds;
if (this->isVersionLT(SkPicturePriv::kStoreImageBounds_Version)) {
bounds.fLeft = bounds.fTop = 0;
bounds.fRight = this->read32();
bounds.fBottom = this->read32();
} else {
this->readIRect(&bounds);
}
const int width = bounds.width();
const int height = bounds.height();
if (width <= 0 || height <= 0) { // SkImage never has a zero dimension
this->validate(false);
return nullptr;
}
int32_t size = this->read32();
if (size == SK_NaN32) {
// 0x80000000 is never valid, since it cannot be passed to abs().
this->validate(false);
return nullptr;
}
if (size == 0) {
// The image could not be encoded at serialization time - return an empty placeholder.
return MakeEmptyImage(width, height);
}
// we used to negate the size for "custom" encoded images -- ignore that signal (Dec-2017)
size = SkAbs32(size);
if (size == 1) {
// legacy check (we stopped writing this for "raw" images Nov-2017)
this->validate(false);
return nullptr;
}
// Preflight check to make sure there's enough stuff in the buffer before
// we allocate the memory. This helps the fuzzer avoid OOM when it creates
// bad/corrupt input.
if (!this->validateCanReadN<uint8_t>(size)) {
return nullptr;
}
sk_sp<SkData> data = SkData::MakeUninitialized(size);
if (!this->readPad32(data->writable_data(), size)) {
this->validate(false);
return nullptr;
}
if (this->isVersionLT(SkPicturePriv::kDontNegateImageSize_Version)) {
(void)this->read32(); // originX
(void)this->read32(); // originY
}
sk_sp<SkImage> image;
if (fProcs.fImageProc) {
image = fProcs.fImageProc(data->data(), data->size(), fProcs.fImageCtx);
}
if (!image) {
image = SkImage::MakeFromEncoded(std::move(data));
}
if (image) {
if (bounds.x() || bounds.y() || width < image->width() || height < image->height()) {
image = image->makeSubset(bounds);
}
}
// Question: are we correct to return an "empty" image instead of nullptr, if the decoder
// failed for some reason?
return image ? image : MakeEmptyImage(width, height);
}
sk_sp<SkTypeface> SkReadBuffer::readTypeface() {
// Read 32 bits (signed)
// 0 -- return null (default font)
// >0 -- index
// <0 -- custom (serial procs) : negative size in bytes
int32_t index = this->read32();
if (index == 0) {
return nullptr;
} else if (index > 0) {
if (!this->validate(index <= fTFCount)) {
return nullptr;
}
return fTFArray[index - 1];
} else { // custom
size_t size = sk_negate_to_size_t(index);
const void* data = this->skip(size);
if (!this->validate(data != nullptr && fProcs.fTypefaceProc)) {
return nullptr;
}
return fProcs.fTypefaceProc(data, size, fProcs.fTypefaceCtx);
}
}
SkFlattenable* SkReadBuffer::readFlattenable(SkFlattenable::Type ft) {
SkFlattenable::Factory factory = nullptr;
if (fFactoryCount > 0) {
int32_t index = this->read32();
if (0 == index || !this->isValid()) {
return nullptr; // writer failed to give us the flattenable
}
index -= 1; // we stored the index-base-1
if ((unsigned)index >= (unsigned)fFactoryCount) {
this->validate(false);
return nullptr;
}
factory = fFactoryArray[index];
} else {
if (this->peekByte() != 0) {
// If the first byte is non-zero, the flattenable is specified by a string.
size_t ignored_length;
if (const char* name = this->readString(&ignored_length)) {
factory = SkFlattenable::NameToFactory(name);
fFlattenableDict.set(fFlattenableDict.count() + 1, factory);
}
} else {
// Read the index. We are guaranteed that the first byte
// is zeroed, so we must shift down a byte.
uint32_t index = this->readUInt() >> 8;
if (index == 0) {
return nullptr; // writer failed to give us the flattenable
}
if (SkFlattenable::Factory* found = fFlattenableDict.find(index)) {
factory = *found;
}
}
if (!this->validate(factory != nullptr)) {
return nullptr;
}
}
// if we get here, factory may still be null, but if that is the case, the
// failure was ours, not the writer.
sk_sp<SkFlattenable> obj;
uint32_t sizeRecorded = this->read32();
if (factory) {
size_t offset = fReader.offset();
obj = (*factory)(*this);
// check that we read the amount we expected
size_t sizeRead = fReader.offset() - offset;
if (sizeRecorded != sizeRead) {
this->validate(false);
return nullptr;
}
if (obj && obj->getFlattenableType() != ft) {
this->validate(false);
return nullptr;
}
} else {
// we must skip the remaining data
fReader.skip(sizeRecorded);
}
if (!this->isValid()) {
return nullptr;
}
return obj.release();
}
///////////////////////////////////////////////////////////////////////////////////////////////////
int32_t SkReadBuffer::checkInt(int32_t min, int32_t max) {
SkASSERT(min <= max);
int32_t value = this->read32();
if (value < min || value > max) {
this->validate(false);
value = min;
}
return value;
}
SkFilterQuality SkReadBuffer::checkFilterQuality() {
return this->checkRange<SkFilterQuality>(kNone_SkFilterQuality, kLast_SkFilterQuality);
}
#endif // #ifndef SK_DISABLE_READBUFFER