diff options
author | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-12-02 10:25:19 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-12-02 18:26:08 +0000 |
commit | 0ad2976e0e0960bb61706e29099508115047d3bf (patch) | |
tree | ae96382cf36f61a9ffb126ef08260da5083dd947 | |
parent | c50dd4c5a9466bf01f2351b590f7178b27967329 (diff) | |
download | qtwebengine-chromium-0ad2976e0e0960bb61706e29099508115047d3bf.tar.gz |
[Backport] Fix for CVE-2019-5814
Manual backport from Blink to WebKit.
CORS errors are broken for ImageBitmapRenderingContext
ImageBitmapRenderingContext.toDataURL() does not throw CORS errors
when reading from a tainted canvas. It is not super urgent right now
as the entire functionality is broken, it simply returns black pixels,
so there is no security vulnerability RIGHT now. Regardless
once https://bugs.chromium.org/p/chromium/issues/detail?id=838108 is
fixed, it will expose a problem.
Currently toDataURL() in dev builds fails https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/graphics/unaccelerated_static_bitmap_image.cc?q=unaccelerated_static_bitmap_image&sq=package:chromium&dr=C&l=28
and on https://cs.chromium.org/chromium/src/cc/paint/paint_image_builder.cc?dr=C&q=paint_image_builder&sq=package:chromium&g=0&l=47
not sure when this was introduced, but as of now we have no tests for
toDataURL().
toDataURL() with LOCAL images also appears to be broken for
ImageBitmapRenderingContext, as it just returns empty images.
Will add tests and try to fix those problems in other CLs
Bug: 930057
Change-Id: I4e0837a49f7a71c937746fbcac8b6edcf51fd6d7
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/WebKit/Source/modules/imagebitmap/ImageBitmapRenderingContext.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/chromium/third_party/WebKit/Source/modules/imagebitmap/ImageBitmapRenderingContext.cpp b/chromium/third_party/WebKit/Source/modules/imagebitmap/ImageBitmapRenderingContext.cpp index 266a97d7b52..61715aa00e5 100644 --- a/chromium/third_party/WebKit/Source/modules/imagebitmap/ImageBitmapRenderingContext.cpp +++ b/chromium/third_party/WebKit/Source/modules/imagebitmap/ImageBitmapRenderingContext.cpp @@ -40,6 +40,10 @@ void ImageBitmapRenderingContext::transferFromImageBitmap( return; } + if (imageBitmap->wouldTaintOrigin(nullptr)) { + canvas()->setOriginTainted(); + } + m_image = imageBitmap->bitmapImage(); if (!m_image) return; |