[Backport] Security bug 1052492

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2134662:
Adding a new MSAN check to validate if the skImage is initialized

ImageDataBuffer may trying to be copying an uninitialized SkImage.
Adding an MSAN check to check before doing the copy to ensure that has
been initialized.

Bug: 1052492
Change-Id: I6cfefffe42f5cf11eaf5119df1352338c2b00010
Commit-Queue: Fernando Serboncini <fserb@chromium.org>
Reviewed-by: Fernando Serboncini <fserb@chromium.org>
Auto-Submit: Juanmi Huertas <juanmihd@chromium.org>
Cr-Commit-Position: refs/heads/master@{#757045}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 7 insertions, 0 deletions

diff --git a/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc b/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc
index fe622fba3ae..9abb2b2747e 100644
--- a/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc
+++ b/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc
@@ -54,6 +54,13 @@ ImageDataBuffer::ImageDataBuffer(scoped_refptr<StaticBitmapImage> image) {
   retained_image_ = image->PaintImageForCurrentFrame().GetSkImage();
   if (!retained_image_)
     return;
+#if defined(MEMORY_SANITIZER)
+  // Test if retained_image has an initialized pixmap.
+  SkPixmap pixmap;
+  if (retained_image_->peekPixels(&pixmap))
+    MSAN_CHECK_MEM_IS_INITIALIZED(pixmap.addr(), pixmap.computeByteSize());
+#endif
+
   if (retained_image_->isTextureBacked() ||
       retained_image_->isLazyGenerated() ||
       retained_image_->alphaType() != kUnpremul_SkAlphaType) {