diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-12-19 13:21:20 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-12-20 10:11:12 +0000 |
commit | 44d355f3b2de616db2a0dec6d01b0bfb0d6ba947 (patch) | |
tree | 56e794641dda904def0b04f0bfe01e87501f0453 | |
parent | ecf956cc0aa45a4bb64f32d66e6dac48a0144011 (diff) | |
download | qtwebengine-chromium-44d355f3b2de616db2a0dec6d01b0bfb0d6ba947.tar.gz |
[Backport] Remove unsafe align4 call
Align by 4 safely before calling malloc.
BUG=chromium:763972
Reviewed-on: https://skia-review.googlesource.com/49760
(CVE-2017-15409)
Change-Id: I04d2feacc20b9b0eaa4921c6e0378fcad88fcd42
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
-rw-r--r-- | chromium/third_party/skia/src/core/SkMask.cpp | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/chromium/third_party/skia/src/core/SkMask.cpp b/chromium/third_party/skia/src/core/SkMask.cpp index 167d30d166b..7340d70f1ae 100644 --- a/chromium/third_party/skia/src/core/SkMask.cpp +++ b/chromium/third_party/skia/src/core/SkMask.cpp @@ -45,7 +45,14 @@ uint8_t* SkMask::AllocImage(size_t size) { #ifdef TRACK_SKMASK_LIFETIME SkDebugf("SkMask::AllocImage %d\n", gCounter++); #endif - return (uint8_t*)sk_malloc_throw(SkAlign4(size)); + size_t aligned_size = std::numeric_limits<size_t>::max(); + + // Expand size to next multiple of four. + size_t adjustment = 3; + if (size + adjustment > size) { + aligned_size = (size + adjustment) & ~adjustment; + } + return static_cast<uint8_t*>(sk_malloc_throw(aligned_size)); } /** We explicitly use this allocator for SkBimap pixels, so that we can |