[Backport] Security bug 1018629

Cherry pick of patch originally reviewed on: https://chromium-review.googlesource.com/c/chromium/src/+/1922305 blink: Handle peekPixels failure in ImageDataBuffer and add msan checks. R=fserb@chromium.org Bug: 1018629 Auto-Submit: Khushal <khushalsagar@chromium.org> Commit-Queue: Fernando Serboncini <fserb@chromium.org> Reviewed-by: Fernando Serboncini <fserb@chromium.org> Cr-Commit-Position: refs/heads/master@{#718268} Change-Id: Ied407cbaeeb920ffe0c25b39a03f485bebfe5bc0 Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
author: Khushal <khushalsagar@chromium.org> 2019-11-22 20:47:08 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2020-03-06 16:05:29 +0000
commit: 6b0d12aa31ae3553db04277d46ce14f57a6e20b3 (patch)
tree: 412bd23256520d3116d836a93a240a3167da0116
parent: 3f6e9bf1fb04dcd353aaf2c3a8c17d40eea6a154 (diff)
download: qtwebengine-chromium-6b0d12aa31ae3553db04277d46ce14f57a6e20b3.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc b/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc
index 8e1255ce43b..fe622fba3ae 100644
--- a/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc
+++ b/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc
@@ -34,6 +34,7 @@
 
 #include <memory>
 
+#include "base/compiler_specific.h"
 #include "base/memory/ptr_util.h"
 #include "third_party/blink/renderer/platform/graphics/static_bitmap_image.h"
 #include "third_party/blink/renderer/platform/image-encoders/image_encoder.h"
@@ -78,10 +79,12 @@ ImageDataBuffer::ImageDataBuffer(scoped_refptr<StaticBitmapImage> image) {
       pixmap_.reset();
       return;
     }
+    MSAN_CHECK_MEM_IS_INITIALIZED(pixmap_.addr(), pixmap_.computeByteSize());
     retained_image_ = SkImage::MakeRasterData(info, std::move(data), rowBytes);
   } else {
     if (!retained_image_->peekPixels(&pixmap_))
       return;
+    MSAN_CHECK_MEM_IS_INITIALIZED(pixmap_.addr(), pixmap_.computeByteSize());
   }
   is_valid_ = true;
   size_ = IntSize(image->width(), image->height());
@@ -161,7 +164,9 @@ String ImageDataBuffer::ToDataURL(const ImageEncodingMimeType mime_type,
     if (!pixmap.colorSpace()->isSRGB()) {
       skia_image = SkImage::MakeFromRaster(pixmap, nullptr, nullptr);
       skia_image = skia_image->makeColorSpace(SkColorSpace::MakeSRGB());
-      skia_image->peekPixels(&pixmap);
+      if (!skia_image->peekPixels(&pixmap))
+        return "data:,";
+      MSAN_CHECK_MEM_IS_INITIALIZED(pixmap.addr(), pixmap.computeByteSize());
     }
     pixmap.setColorSpace(nullptr);
   }
author	Khushal <khushalsagar@chromium.org>	2019-11-22 20:47:08 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2020-03-06 16:05:29 +0000
commit	6b0d12aa31ae3553db04277d46ce14f57a6e20b3 (patch)
tree	412bd23256520d3116d836a93a240a3167da0116
parent	3f6e9bf1fb04dcd353aaf2c3a8c17d40eea6a154 (diff)
download	qtwebengine-chromium-6b0d12aa31ae3553db04277d46ce14f57a6e20b3.tar.gz