[Backport] Fix for CVE-2019-5814

Manual backport from Blink to WebKit.
CORS errors are broken for ImageBitmapRenderingContext

ImageBitmapRenderingContext.toDataURL() does not throw CORS errors
when reading from a tainted canvas. It is not super urgent right now
as the entire functionality is broken, it simply returns black pixels,
so there is no security vulnerability RIGHT now. Regardless
once https://bugs.chromium.org/p/chromium/issues/detail?id=838108 is
fixed, it will expose a problem.

Currently toDataURL() in dev builds fails https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/graphics/unaccelerated_static_bitmap_image.cc?q=unaccelerated_static_bitmap_image&sq=package:chromium&dr=C&l=28
and on https://cs.chromium.org/chromium/src/cc/paint/paint_image_builder.cc?dr=C&q=paint_image_builder&sq=package:chromium&g=0&l=47
not sure when this was introduced, but as of now we have no tests for
toDataURL().

toDataURL() with LOCAL images also appears to be broken for
ImageBitmapRenderingContext, as it just returns empty images.

Will add tests and try to fix those problems in other CLs

Bug: 930057
Change-Id: I4e0837a49f7a71c937746fbcac8b6edcf51fd6d7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 4 insertions, 0 deletions

diff --git a/chromium/third_party/WebKit/Source/modules/imagebitmap/ImageBitmapRenderingContext.cpp b/chromium/third_party/WebKit/Source/modules/imagebitmap/ImageBitmapRenderingContext.cpp
index 266a97d7b52..61715aa00e5 100644
--- a/chromium/third_party/WebKit/Source/modules/imagebitmap/ImageBitmapRenderingContext.cpp
+++ b/chromium/third_party/WebKit/Source/modules/imagebitmap/ImageBitmapRenderingContext.cpp
@@ -40,6 +40,10 @@ void ImageBitmapRenderingContext::transferFromImageBitmap(
     return;
   }
 
+  if (imageBitmap->wouldTaintOrigin(nullptr)) {
+    canvas()->setOriginTainted();
+  }
+
   m_image = imageBitmap->bitmapImage();
   if (!m_image)
     return;