[Backport] Remove unsafe align4 call

Align by 4 safely before calling malloc. BUG=chromium:763972 Reviewed-on: https://skia-review.googlesource.com/49760 (CVE-2017-15409) Change-Id: I04d2feacc20b9b0eaa4921c6e0378fcad88fcd42 Reviewed-by: Michael Brüning <michael.bruning@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2017-12-19 13:21:20 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2017-12-20 10:11:12 +0000
commit: 44d355f3b2de616db2a0dec6d01b0bfb0d6ba947 (patch)
tree: 56e794641dda904def0b04f0bfe01e87501f0453
parent: ecf956cc0aa45a4bb64f32d66e6dac48a0144011 (diff)
download: qtwebengine-chromium-44d355f3b2de616db2a0dec6d01b0bfb0d6ba947.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/chromium/third_party/skia/src/core/SkMask.cpp b/chromium/third_party/skia/src/core/SkMask.cpp
index 167d30d166b..7340d70f1ae 100644
--- a/chromium/third_party/skia/src/core/SkMask.cpp
+++ b/chromium/third_party/skia/src/core/SkMask.cpp
@@ -45,7 +45,14 @@ uint8_t* SkMask::AllocImage(size_t size) {
 #ifdef TRACK_SKMASK_LIFETIME
     SkDebugf("SkMask::AllocImage %d\n", gCounter++);
 #endif
-    return (uint8_t*)sk_malloc_throw(SkAlign4(size));
+    size_t aligned_size = std::numeric_limits<size_t>::max();
+
+    // Expand size to next multiple of four.
+    size_t adjustment = 3;
+    if (size + adjustment > size) {
+        aligned_size = (size + adjustment) & ~adjustment;
+    }
+    return static_cast<uint8_t*>(sk_malloc_throw(aligned_size));
 }
 
 /** We explicitly use this allocator for SkBimap pixels, so that we can
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2017-12-19 13:21:20 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2017-12-20 10:11:12 +0000
commit	44d355f3b2de616db2a0dec6d01b0bfb0d6ba947 (patch)
tree	56e794641dda904def0b04f0bfe01e87501f0453
parent	ecf956cc0aa45a4bb64f32d66e6dac48a0144011 (diff)
download	qtwebengine-chromium-44d355f3b2de616db2a0dec6d01b0bfb0d6ba947.tar.gz