[Backport] Tighten about IntRect use in WebGL with overflow detection

BUG=784183 TEST=test case in the bug in ASAN build R=<U+200B>kbr@chromium.org Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Reviewed-on: https://chromium-review.googlesource.com/811826 Reviewed-by: Kenneth Russell <kbr@chromium.org> Commit-Queue: Zhenyao Mo <zmo@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#522213}(cherry picked from commit 3298d3abf47b3a7a10e44c07d821c68a5c8aa935) Reviewed-on: https://chromium-review.googlesource.com/815775 Reviewed-by: Zhenyao Mo <zmo@chromium.org> Cr-Commit-Position: refs/branch-heads/3282@{#80} Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840} (CVE-2018-6034) Change-Id: I18da82e2b063350caf56add656cd85a97537f8ae Reviewed-by: Michael Brüning <michael.bruning@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-01-25 17:02:23 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-01-25 21:41:26 +0000
commit: 543692ef8d0e17adecc36b07f36164f9bc93e85c (patch)
tree: 4c82d50f7015c206194128208a1a2b4023b98ea4
parent: 439b32a6aa2c1ec8e18e3f21b28a0c93102ba5bb (diff)
download: qtwebengine-chromium-543692ef8d0e17adecc36b07f36164f9bc93e85c.tar.gz
4 files changed, 24 insertions, 4 deletions
diff --git a/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp b/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp
index 5387893f61b..a025578e8cf 100644
--- a/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp
+++ b/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp
@@ -4373,7 +4373,7 @@ void WebGLRenderingContextBase::TexImageImpl(
   Vector<uint8_t> data;
 
   IntRect sub_rect = source_image_rect;
-  if (sub_rect == SentinelEmptyRect()) {
+  if (sub_rect.IsValid() && sub_rect == SentinelEmptyRect()) {
     // Recalculate based on the size of the Image.
     sub_rect = SafeGetImageSize(image);
   }
@@ -5198,6 +5198,12 @@ void WebGLRenderingContextBase::TexImageHelperHTMLVideoElement(
                        yoffset, zoffset))
     return;
 
+  if (!source_image_rect.IsValid()) {
+    SynthesizeGLError(GL_INVALID_OPERATION, func_name,
+                      "source sub-rectangle specified via pixel unpack "
+                      "parameters is invalid");
+    return;
+  }
   bool source_image_rect_is_default =
       source_image_rect == SentinelEmptyRect() ||
       source_image_rect ==
diff --git a/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.h b/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.h
index 0b82040f724..98242f5e0ca 100644
--- a/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.h
+++ b/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.h
@@ -1054,9 +1054,9 @@ class MODULES_EXPORT WebGLRenderingContextBase : public CanvasRenderingContext,
         << ") @ (" << sub_rect.X() << ", " << sub_rect.Y() << "), image = ("
         << image_width << " x " << image_height << ")";
 
-    if (sub_rect.X() < 0 || sub_rect.Y() < 0 || sub_rect.MaxX() > image_width ||
-        sub_rect.MaxY() > image_height || sub_rect.Width() < 0 ||
-        sub_rect.Height() < 0) {
+    if (!sub_rect.IsValid() || sub_rect.X() < 0 || sub_rect.Y() < 0 ||
+        sub_rect.MaxX() > image_width || sub_rect.MaxY() > image_height ||
+        sub_rect.Width() < 0 || sub_rect.Height() < 0) {
       SynthesizeGLError(GL_INVALID_OPERATION, function_name,
                         "source sub-rectangle specified via pixel unpack "
                         "parameters is invalid");
diff --git a/chromium/third_party/WebKit/Source/platform/geometry/IntRect.cpp b/chromium/third_party/WebKit/Source/platform/geometry/IntRect.cpp
index 459744e514b..06fb9b136d6 100644
--- a/chromium/third_party/WebKit/Source/platform/geometry/IntRect.cpp
+++ b/chromium/third_party/WebKit/Source/platform/geometry/IntRect.cpp
@@ -27,6 +27,7 @@
 
 #include "platform/geometry/FloatRect.h"
 #include "platform/geometry/LayoutRect.h"
+#include "platform/wtf/CheckedNumeric.h"
 #include "platform/wtf/text/WTFString.h"
 #include "third_party/skia/include/core/SkRect.h"
 #include "ui/gfx/geometry/rect.h"
@@ -174,4 +175,14 @@ String IntRect::ToString() const {
                         Size().ToString().Ascii().data());
 }
 
+bool IntRect::IsValid() const {
+  CheckedNumeric<int> max = location_.X();
+  max += size_.Width();
+  if (!max.IsValid())
+    return false;
+  max = location_.Y();
+  max += size_.Height();
+  return max.IsValid();
+}
+
 }  // namespace blink
diff --git a/chromium/third_party/WebKit/Source/platform/geometry/IntRect.h b/chromium/third_party/WebKit/Source/platform/geometry/IntRect.h
index 146f15a3eb2..278b8bb2b40 100644
--- a/chromium/third_party/WebKit/Source/platform/geometry/IntRect.h
+++ b/chromium/third_party/WebKit/Source/platform/geometry/IntRect.h
@@ -200,6 +200,9 @@ class PLATFORM_EXPORT IntRect {
 
   String ToString() const;
 
+  // Return false if x + width or y + height overflows.
+  bool IsValid() const;
+
  private:
   IntPoint location_;
   IntSize size_;
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-01-25 17:02:23 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-01-25 21:41:26 +0000
commit	543692ef8d0e17adecc36b07f36164f9bc93e85c (patch)
tree	4c82d50f7015c206194128208a1a2b4023b98ea4
parent	439b32a6aa2c1ec8e18e3f21b28a0c93102ba5bb (diff)
download	qtwebengine-chromium-543692ef8d0e17adecc36b07f36164f9bc93e85c.tar.gz