diff options
author | John Stiles <johnstiles@google.com> | 2023-04-13 17:58:24 -0400 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-02 08:59:32 +0000 |
commit | 82304e12695dd5732839a649f15eaa4ce08abfe5 (patch) | |
tree | 4ed53fd6e5b86f6de12c98945dae65612e8c7a70 | |
parent | 5c93fd0f90d784bb2be6eccbc9452dbf19c70cd2 (diff) | |
download | qtwebengine-chromium-82304e12695dd5732839a649f15eaa4ce08abfe5.tar.gz |
[Backport] CVE-2023-2136: Integer overflow in Skia (2/2)
Cherry-pick of patch originally reviewed on
https://skia-review.googlesource.com/c/skia/+/673577:
Enforce size limits on struct and array declarations.
M108 merge issues:
resources/sksl/BUILD.bazel:
File doesn't exist in M108, tests are added manually to gn/sksl_tests.gni.
gn/sksl_tests.gni:
Conflicting rts entries
tests/sksl/shared/Ossfuzz37900.*
Not present in 108, skipped.
src/sksl/ir/SkSLType.cpp:
- Conflicting includes
- MakeStructType():
- Conflicting function signature
- context isn't a parameter, used ThreadContext::Context() directly.
This improves error reporting by more clearly attaching the error
message to the oversized type.
Bug: chromium:1432603
Change-Id: I26511f08aff22072cf4913abf7be2c49940a732c
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/671377
Commit-Queue: John Stiles <johnstiles@google.com>
(cherry picked from commit 1cbd33ecd73523f8d4bf88e9c5576303b39e5556)
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/673577
Reviewed-by: John Stiles <johnstiles@google.com>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474619
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/skia/src/sksl/dsl/DSLType.cpp | 4 | ||||
-rw-r--r-- | chromium/third_party/skia/src/sksl/ir/SkSLType.cpp | 20 |
2 files changed, 19 insertions, 5 deletions
diff --git a/chromium/third_party/skia/src/sksl/dsl/DSLType.cpp b/chromium/third_party/skia/src/sksl/dsl/DSLType.cpp index 5648c51c92b..aacdfb00052 100644 --- a/chromium/third_party/skia/src/sksl/dsl/DSLType.cpp +++ b/chromium/third_party/skia/src/sksl/dsl/DSLType.cpp @@ -266,7 +266,7 @@ DSLExpression DSLType::Construct(DSLType type, SkSpan<DSLExpression> argArray) { DSLType Array(const DSLType& base, int count, Position pos) { count = base.skslType().convertArraySize(ThreadContext::Context(), pos, - DSLExpression(count, pos).release()); + DSLExpression(count, pos).release()); if (!count) { return DSLType(kPoison_Type); } @@ -278,7 +278,7 @@ DSLType UnsizedArray(const DSLType& base, Position pos) { return DSLType(kPoison_Type); } return ThreadContext::SymbolTable()->addArrayDimension(&base.skslType(), - SkSL::Type::kUnsizedArray); + SkSL::Type::kUnsizedArray); } DSLType Struct(std::string_view name, SkSpan<DSLField> fields, Position pos) { diff --git a/chromium/third_party/skia/src/sksl/ir/SkSLType.cpp b/chromium/third_party/skia/src/sksl/ir/SkSLType.cpp index 04c1946509e..c474db149f5 100644 --- a/chromium/third_party/skia/src/sksl/ir/SkSLType.cpp +++ b/chromium/third_party/skia/src/sksl/ir/SkSLType.cpp @@ -12,10 +12,12 @@ #include "include/private/SkTFitsIn.h" #include "include/sksl/SkSLErrorReporter.h" #include "src/core/SkMathPriv.h" +#include "src/core/SkSafeMath.h" #include "src/sksl/SkSLBuiltinTypes.h" #include "src/sksl/SkSLConstantFolder.h" #include "src/sksl/SkSLContext.h" #include "src/sksl/SkSLProgramSettings.h" +#include "src/sksl/SkSLThreadContext.h" #include "src/sksl/ir/SkSLConstructorArrayCast.h" #include "src/sksl/ir/SkSLConstructorCompoundCast.h" #include "src/sksl/ir/SkSLConstructorScalarCast.h" @@ -648,6 +650,17 @@ std::unique_ptr<Type> Type::MakeScalarType(std::string_view name, const char* ab std::unique_ptr<Type> Type::MakeStructType(Position pos, std::string_view name, std::vector<Field> fields, bool interfaceBlock) { + size_t slots = 0; + for (const Field& field : fields) { + if (field.fType->isUnsizedArray()) { + continue; + } + slots = SkSafeMath::Add(slots, field.fType->slotCount()); + if (slots >= kVariableSlotLimit) { + ThreadContext::Context().fErrors->error(pos, "struct is too large"); + break; + } + } return std::make_unique<StructType>(pos, name, std::move(fields), interfaceBlock); } @@ -1120,8 +1133,9 @@ bool Type::checkIfUsableInArray(const Context& context, Position arrayPos) const return true; } -SKSL_INT Type::convertArraySize(const Context& context, Position arrayPos, - std::unique_ptr<Expression> size) const { +SKSL_INT Type::convertArraySize(const Context& context, + Position arrayPos, + std::unique_ptr<Expression> size) const { size = context.fTypes.fInt->coerceExpression(std::move(size), context); if (!size) { return 0; @@ -1138,7 +1152,7 @@ SKSL_INT Type::convertArraySize(const Context& context, Position arrayPos, context.fErrors->error(size->fPosition, "array size must be positive"); return 0; } - if (!SkTFitsIn<int32_t>(count)) { + if (SkSafeMath::Mul(this->slotCount(), count) > kVariableSlotLimit) { context.fErrors->error(size->fPosition, "array size is too large"); return 0; } |