diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-25 17:02:23 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-25 21:41:26 +0000 |
commit | 543692ef8d0e17adecc36b07f36164f9bc93e85c (patch) | |
tree | 4c82d50f7015c206194128208a1a2b4023b98ea4 | |
parent | 439b32a6aa2c1ec8e18e3f21b28a0c93102ba5bb (diff) | |
download | qtwebengine-chromium-543692ef8d0e17adecc36b07f36164f9bc93e85c.tar.gz |
[Backport] Tighten about IntRect use in WebGL with overflow detection
BUG=784183
TEST=test case in the bug in ASAN build
R=<U+200B>kbr@chromium.org
Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Reviewed-on: https://chromium-review.googlesource.com/811826
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Commit-Queue: Zhenyao Mo <zmo@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#522213}(cherry picked from commit 3298d3abf47b3a7a10e44c07d821c68a5c8aa935)
Reviewed-on: https://chromium-review.googlesource.com/815775
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Cr-Commit-Position: refs/branch-heads/3282@{#80}
Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
(CVE-2018-6034)
Change-Id: I18da82e2b063350caf56add656cd85a97537f8ae
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
4 files changed, 24 insertions, 4 deletions
diff --git a/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp b/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp index 5387893f61b..a025578e8cf 100644 --- a/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp +++ b/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp @@ -4373,7 +4373,7 @@ void WebGLRenderingContextBase::TexImageImpl( Vector<uint8_t> data; IntRect sub_rect = source_image_rect; - if (sub_rect == SentinelEmptyRect()) { + if (sub_rect.IsValid() && sub_rect == SentinelEmptyRect()) { // Recalculate based on the size of the Image. sub_rect = SafeGetImageSize(image); } @@ -5198,6 +5198,12 @@ void WebGLRenderingContextBase::TexImageHelperHTMLVideoElement( yoffset, zoffset)) return; + if (!source_image_rect.IsValid()) { + SynthesizeGLError(GL_INVALID_OPERATION, func_name, + "source sub-rectangle specified via pixel unpack " + "parameters is invalid"); + return; + } bool source_image_rect_is_default = source_image_rect == SentinelEmptyRect() || source_image_rect == diff --git a/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.h b/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.h index 0b82040f724..98242f5e0ca 100644 --- a/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.h +++ b/chromium/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.h @@ -1054,9 +1054,9 @@ class MODULES_EXPORT WebGLRenderingContextBase : public CanvasRenderingContext, << ") @ (" << sub_rect.X() << ", " << sub_rect.Y() << "), image = (" << image_width << " x " << image_height << ")"; - if (sub_rect.X() < 0 || sub_rect.Y() < 0 || sub_rect.MaxX() > image_width || - sub_rect.MaxY() > image_height || sub_rect.Width() < 0 || - sub_rect.Height() < 0) { + if (!sub_rect.IsValid() || sub_rect.X() < 0 || sub_rect.Y() < 0 || + sub_rect.MaxX() > image_width || sub_rect.MaxY() > image_height || + sub_rect.Width() < 0 || sub_rect.Height() < 0) { SynthesizeGLError(GL_INVALID_OPERATION, function_name, "source sub-rectangle specified via pixel unpack " "parameters is invalid"); diff --git a/chromium/third_party/WebKit/Source/platform/geometry/IntRect.cpp b/chromium/third_party/WebKit/Source/platform/geometry/IntRect.cpp index 459744e514b..06fb9b136d6 100644 --- a/chromium/third_party/WebKit/Source/platform/geometry/IntRect.cpp +++ b/chromium/third_party/WebKit/Source/platform/geometry/IntRect.cpp @@ -27,6 +27,7 @@ #include "platform/geometry/FloatRect.h" #include "platform/geometry/LayoutRect.h" +#include "platform/wtf/CheckedNumeric.h" #include "platform/wtf/text/WTFString.h" #include "third_party/skia/include/core/SkRect.h" #include "ui/gfx/geometry/rect.h" @@ -174,4 +175,14 @@ String IntRect::ToString() const { Size().ToString().Ascii().data()); } +bool IntRect::IsValid() const { + CheckedNumeric<int> max = location_.X(); + max += size_.Width(); + if (!max.IsValid()) + return false; + max = location_.Y(); + max += size_.Height(); + return max.IsValid(); +} + } // namespace blink diff --git a/chromium/third_party/WebKit/Source/platform/geometry/IntRect.h b/chromium/third_party/WebKit/Source/platform/geometry/IntRect.h index 146f15a3eb2..278b8bb2b40 100644 --- a/chromium/third_party/WebKit/Source/platform/geometry/IntRect.h +++ b/chromium/third_party/WebKit/Source/platform/geometry/IntRect.h @@ -200,6 +200,9 @@ class PLATFORM_EXPORT IntRect { String ToString() const; + // Return false if x + width or y + height overflows. + bool IsValid() const; + private: IntPoint location_; IntSize size_; |