diff options
author | Khushal <khushalsagar@chromium.org> | 2019-11-22 20:47:08 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-06 16:05:29 +0000 |
commit | 6b0d12aa31ae3553db04277d46ce14f57a6e20b3 (patch) | |
tree | 412bd23256520d3116d836a93a240a3167da0116 | |
parent | 3f6e9bf1fb04dcd353aaf2c3a8c17d40eea6a154 (diff) | |
download | qtwebengine-chromium-6b0d12aa31ae3553db04277d46ce14f57a6e20b3.tar.gz |
[Backport] Security bug 1018629
Cherry pick of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/1922305
blink: Handle peekPixels failure in ImageDataBuffer and add msan checks.
R=fserb@chromium.org
Bug: 1018629
Auto-Submit: Khushal <khushalsagar@chromium.org>
Commit-Queue: Fernando Serboncini <fserb@chromium.org>
Reviewed-by: Fernando Serboncini <fserb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#718268}
Change-Id: Ied407cbaeeb920ffe0c25b39a03f485bebfe5bc0
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc b/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc index 8e1255ce43b..fe622fba3ae 100644 --- a/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc +++ b/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc @@ -34,6 +34,7 @@ #include <memory> +#include "base/compiler_specific.h" #include "base/memory/ptr_util.h" #include "third_party/blink/renderer/platform/graphics/static_bitmap_image.h" #include "third_party/blink/renderer/platform/image-encoders/image_encoder.h" @@ -78,10 +79,12 @@ ImageDataBuffer::ImageDataBuffer(scoped_refptr<StaticBitmapImage> image) { pixmap_.reset(); return; } + MSAN_CHECK_MEM_IS_INITIALIZED(pixmap_.addr(), pixmap_.computeByteSize()); retained_image_ = SkImage::MakeRasterData(info, std::move(data), rowBytes); } else { if (!retained_image_->peekPixels(&pixmap_)) return; + MSAN_CHECK_MEM_IS_INITIALIZED(pixmap_.addr(), pixmap_.computeByteSize()); } is_valid_ = true; size_ = IntSize(image->width(), image->height()); @@ -161,7 +164,9 @@ String ImageDataBuffer::ToDataURL(const ImageEncodingMimeType mime_type, if (!pixmap.colorSpace()->isSRGB()) { skia_image = SkImage::MakeFromRaster(pixmap, nullptr, nullptr); skia_image = skia_image->makeColorSpace(SkColorSpace::MakeSRGB()); - skia_image->peekPixels(&pixmap); + if (!skia_image->peekPixels(&pixmap)) + return "data:,"; + MSAN_CHECK_MEM_IS_INITIALIZED(pixmap.addr(), pixmap.computeByteSize()); } pixmap.setColorSpace(nullptr); } |