fix(🔐): remove potential buffer over-reads (#3086)

Author: wcandillon

packages/skia/cpp/api/JsiSkCanvas.h

@@ -243,6 +243,12 @@ class JsiSkCanvas : public JsiSkHostObject {
 
     auto jsiPoints = arguments[1].asObject(runtime).asArray(runtime);
     auto pointsSize = jsiPoints.size(runtime);
+    
+    // Check if we have at least one point
+    if (pointsSize == 0) {
+      throw std::invalid_argument("Points array must not be empty");
+    }
+    
     points.reserve(pointsSize);
 
     for (int i = 0; i < pointsSize; i++) {
@@ -274,6 +280,12 @@ class JsiSkCanvas : public JsiSkHostObject {
 
     auto jsiCubics = arguments[0].asObject(runtime).asArray(runtime);
     auto cubicsSize = jsiCubics.size(runtime);
+    
+    // Validate cubic points - must be exactly 12 points
+    if (cubicsSize != 12) {
+      throw std::invalid_argument("Cubic points array must contain exactly 12 points");
+    }
+    
     cubics.reserve(cubicsSize);
     for (int i = 0; i < cubicsSize; i++) {
       std::shared_ptr<SkPoint> point = JsiSkPoint::fromValue(
@@ -284,6 +296,12 @@ class JsiSkCanvas : public JsiSkHostObject {
     if (count >= 2 && !arguments[1].isNull() && !arguments[1].isUndefined()) {
       auto jsiColors = arguments[1].asObject(runtime).asArray(runtime);
       auto colorsSize = jsiColors.size(runtime);
+      
+      // Validate colors array - must be exactly 4 colors
+      if (colorsSize != 4) {
+        throw std::invalid_argument("Colors array must contain exactly 4 colors");
+      }
+      
       colors.reserve(colorsSize);
       for (int i = 0; i < colorsSize; i++) {
         SkColor color = JsiSkColor::fromValue(
@@ -295,6 +313,12 @@ class JsiSkCanvas : public JsiSkHostObject {
     if (count >= 3 && !arguments[2].isNull() && !arguments[2].isUndefined()) {
       auto jsiTexs = arguments[2].asObject(runtime).asArray(runtime);
       auto texsSize = jsiTexs.size(runtime);
+      
+      // Validate textures array - must be exactly 4 points
+      if (texsSize != 4) {
+        throw std::invalid_argument("Texture coordinates array must contain exactly 4 points");
+      }
+      
       texs.reserve(texsSize);
       for (int i = 0; i < texsSize; i++) {
         auto point = JsiSkPoint::fromValue(
@@ -306,7 +330,8 @@ class JsiSkCanvas : public JsiSkHostObject {
     auto paint =
         count >= 4 ? JsiSkPaint::fromValue(runtime, arguments[4]) : nullptr;
     auto blendMode = static_cast<SkBlendMode>(arguments[3].asNumber());
-    _canvas->drawPatch(cubics.data(), colors.data(), texs.data(), blendMode,
+    _canvas->drawPatch(cubics.data(), colors.empty() ? nullptr : colors.data(), 
+                       texs.empty() ? nullptr : texs.data(), blendMode,
                        *paint);
     return jsi::Value::undefined();
   }
@@ -364,6 +389,12 @@ class JsiSkCanvas : public JsiSkHostObject {
 
     std::vector<SkGlyphID> glyphs;
     int glyphsSize = static_cast<int>(jsiGlyphs.size(runtime));
+    
+    // Validate that glyphs and positions arrays have the same size
+    if (glyphsSize != pointsSize) {
+      throw std::invalid_argument("Glyphs and positions arrays must have the same length");
+    }
+    
     glyphs.reserve(glyphsSize);
     for (int i = 0; i < glyphsSize; i++) {
       glyphs.push_back(jsiGlyphs.getValueAtIndex(runtime, i).asNumber());
@@ -522,11 +553,22 @@ class JsiSkCanvas : public JsiSkHostObject {
           runtime, rects.getValueAtIndex(runtime, i).asObject(runtime));
       skRects.push_back(*rect.get());
     }
+    
+    // Validate transforms and rects have the same size
+    if (xformsSize != rectsSize) {
+      throw std::invalid_argument("Transforms and rects arrays must have the same length");
+    }
 
     std::vector<SkColor> colors;
     if (count > 5 && !arguments[5].isUndefined()) {
       auto colorsArray = arguments[5].asObject(runtime).asArray(runtime);
       int colorsSize = static_cast<int>(colorsArray.size(runtime));
+      
+      // Validate colors array matches the size of sprites and transforms
+      if (colorsSize != rectsSize) {
+        throw std::invalid_argument("Colors array must have the same length as rects/transforms");
+      }
+      
       colors.reserve(colorsSize);
       for (int i = 0; i < colorsSize; i++) {
         // Convert from [r,g,b,a] in [0,1] to SkColor
@@ -551,7 +593,8 @@ class JsiSkCanvas : public JsiSkHostObject {
       sampling = SamplingOptionsFromValue(runtime, arguments[6]);
     }
     _canvas->drawAtlas(atlas.get(), xforms.data(), skRects.data(),
-                       colors.data(), skRects.size(), blendMode, sampling,
+                       colors.empty() ? nullptr : colors.data(), 
+                       skRects.size(), blendMode, sampling,
                        nullptr, paint.get());
 
     return jsi::Value::undefined();

packages/skia/cpp/api/recorder/Drawings.h

@@ -637,6 +637,16 @@ class PatchCmd : public Command {
   }
 
   void draw(DrawingCtx *ctx) {
+    // Validate colors array has exactly 4 colors if provided
+    if (props.colors.has_value() && props.colors.value().size() != 4) {
+      throw std::invalid_argument("Colors array for patch must have exactly 4 colors");
+    }
+    
+    // Validate texture array has exactly 4 points if provided
+    if (props.texture.has_value() && props.texture.value().size() != 4) {
+      throw std::invalid_argument("Texture coordinates array for patch must have exactly 4 points");
+    }
+
     // Determine default blend mode based on presence of colors
     SkBlendMode defaultBlendMode = props.colors.has_value()
                                        ? SkBlendMode::kDstOver
@@ -676,6 +686,15 @@ class VerticesCmd : public Command {
   }
 
   void draw(DrawingCtx *ctx) {
+    // Validate array sizes
+    if (props.colors.has_value() && props.colors.value().size() != props.vertices.size()) {
+      throw std::invalid_argument("Colors array must have the same size as vertices array");
+    }
+    
+    if (props.textures.has_value() && props.textures.value().size() != props.vertices.size()) {
+      throw std::invalid_argument("Textures array must have the same size as vertices array");
+    }
+
     // Create vertices using MakeCopy
     auto vertices = SkVertices::MakeCopy(
         props.mode, static_cast<int>(props.vertices.size()),
@@ -909,6 +928,16 @@ class AtlasCmd : public Command {
 
   void draw(DrawingCtx *ctx) {
     if (props.image) {
+      // Validate transforms and sprites have the same size
+      if (props.transforms.size() != props.sprites.size()) {
+        throw std::invalid_argument("transforms and sprites arrays must have the same length");
+      }
+      
+      // Validate colors array matches if provided
+      if (props.colors.has_value() && props.colors.value().size() != props.transforms.size()) {
+        throw std::invalid_argument("colors array must have the same length as transforms/sprites");
+      }
+      
       auto colors =
           props.colors.has_value() ? props.colors.value().data() : nullptr;
       auto blendMode = props.blendMode.value_or(SkBlendMode::kDstOver);

packages/skia/cpp/api/recorder/Shaders.h

@@ -239,6 +239,16 @@ class LinearGradientCmd : public Command {
   }
 
   void pushShader(DrawingCtx *ctx) {
+    // Validate colors array has at least 2 colors
+    if (props.colors.size() < 2) {
+      throw std::invalid_argument("Colors array must have at least 2 colors");
+    }
+    
+    // Validate positions array matches colors array in size
+    if (props.positions.has_value() && props.positions.value().size() != props.colors.size()) {
+      throw std::invalid_argument("Positions array must have the same size as colors array");
+    }
+    
     SkMatrix m3 = processTransform(props.matrix, props.transform, props.origin);
     const SkPoint pts[2] = {props.start, props.end};
     auto shader = SkGradientShader::MakeLinear(
@@ -276,6 +286,16 @@ class RadialGradientCmd : public Command {
   }
 
   void pushShader(DrawingCtx *ctx) {
+    // Validate colors array has at least 2 colors
+    if (props.colors.size() < 2) {
+      throw std::invalid_argument("Colors array must have at least 2 colors");
+    }
+    
+    // Validate positions array matches colors array in size
+    if (props.positions.has_value() && props.positions.value().size() != props.colors.size()) {
+      throw std::invalid_argument("Positions array must have the same size as colors array");
+    }
+    
     SkMatrix m3 = processTransform(props.matrix, props.transform, props.origin);
     auto shader = SkGradientShader::MakeRadial(
         props.center, props.radius, props.colors.data(),
@@ -314,6 +334,16 @@ class SweepGradientCmd : public Command {
   }
 
   void pushShader(DrawingCtx *ctx) {
+    // Validate colors array has at least 2 colors
+    if (props.colors.size() < 2) {
+      throw std::invalid_argument("Colors array must have at least 2 colors");
+    }
+    
+    // Validate positions array matches colors array in size
+    if (props.positions.has_value() && props.positions.value().size() != props.colors.size()) {
+      throw std::invalid_argument("Positions array must have the same size as colors array");
+    }
+    
     SkMatrix m3 = processTransform(props.matrix, props.transform, props.origin);
     auto shader = SkGradientShader::MakeSweep(
         props.center.x(), props.center.y(), props.colors.data(),
@@ -355,6 +385,16 @@ class TwoPointConicalGradientCmd : public Command {
   }
 
   void pushShader(DrawingCtx *ctx) {
+    // Validate colors array has at least 2 colors
+    if (props.colors.size() < 2) {
+      throw std::invalid_argument("Colors array must have at least 2 colors");
+    }
+    
+    // Validate positions array matches colors array in size
+    if (props.positions.has_value() && props.positions.value().size() != props.colors.size()) {
+      throw std::invalid_argument("Positions array must have the same size as colors array");
+    }
+    
     SkMatrix m3 = processTransform(props.matrix, props.transform, props.origin);
     auto shader = SkGradientShader::MakeTwoPointConical(
         props.start, props.startRadius, props.end, props.endRadius,