From f04d09d1075926a5e5ef0a52171c9c12043fab03 Mon Sep 17 00:00:00 2001
From: Florin Malita <fmalita@google.com>
Date: Fri, 27 Mar 2026 12:07:04 -0400
Subject: [PATCH] Use a local data copy for strike deserialization

The readStrikeData() input is volatile (shared memory) and untrusted.

To avoid time-of-check to time-of-use issues during deserialization,
always make a copy when transitioning to internal/non-volatile APIs.

This is similar to the other defensive copies used in Chromium's
cc/paint_op deserialization, e.g. [1].

[1] https://source.chromium.org/chromium/chromium/src/+/main:cc/paint/paint_op_reader.cc;drc=9c91b2494d4bf0a2d33b5985f7d1af79e72146f2;l=329

Bug: https://issues.chromium.org/issues/496206134
Change-Id: I775d24b10ee7348b159016171ce044737f5bcbe0
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/1197136
Commit-Queue: Florin Malita <fmalita@google.com>
Reviewed-by: Kaylee Lubick <kjlubick@google.com>
---
 src/text/gpu/SkChromeRemoteGlyphCache.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/text/gpu/SkChromeRemoteGlyphCache.cpp b/src/text/gpu/SkChromeRemoteGlyphCache.cpp
index b0a37db298..caf2869d3a 100644
--- a/src/text/gpu/SkChromeRemoteGlyphCache.cpp
+++ b/src/text/gpu/SkChromeRemoteGlyphCache.cpp
@@ -632,9 +632,12 @@ bool SkStrikeClientImpl::readStrikeData(const volatile void* memory, size_t memo
     SkASSERT(memorySize != 0);
     SkASSERT(memory != nullptr);
 
+    // Use a local copy to defend against volatile memory TOCTOU issues during deserialization.
+    sk_sp<SkData> safeMemory = SkData::MakeWithCopy(const_cast<const void*>(memory), memorySize);
+
     // We do not need to set any SkDeserialProcs here because SkStrikeServerImpl::writeStrikeData
     // did not encode any SkImages.
-    SkReadBuffer buffer{const_cast<const void*>(memory), memorySize};
+    SkReadBuffer buffer{safeMemory->data(), safeMemory->size()};
     // Limit the kinds of effects that appear in a glyph's drawable (crbug.com/1442140):
     buffer.setAllowSkSL(false);
 
-- 
2.43.0

