summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Reed <reed@google.com>2020-07-20 18:12:00 -0400
committerMichael BrĂ¼ning <michael.bruning@qt.io>2020-08-11 14:48:53 +0000
commit69a85eaabf20737316564411a66aa8d497e83135 (patch)
treedb0cf37b35df635a1d66344c58c33d30d3675185
parent10efe0032f2926cb582d1feca3377be3e3797f02 (diff)
downloadqtwebengine-chromium-69a85eaabf20737316564411a66aa8d497e83135.tar.gz
[Backport] CVE-2020-6548: Heap buffer overflow in Skia
Manual backport of patch originally reviewed on https://skia-review.googlesource.com/c/skia/+/304416: MallocPixelRef should always allocate as large as computeByteSize() says Bug: 1103827 Change-Id: I837f92cf10a1a389fe1b0ba55ae1323e7e68f741 Reviewed-by: Ben Wagner <bungeman@google.com> Commit-Queue: Mike Reed <reed@google.com> Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat
-rw-r--r--chromium/third_party/skia/src/core/SkMallocPixelRef.cpp10
1 files changed, 4 insertions, 6 deletions
diff --git a/chromium/third_party/skia/src/core/SkMallocPixelRef.cpp b/chromium/third_party/skia/src/core/SkMallocPixelRef.cpp
index d998029a2be..8e7db5ebb41 100644
--- a/chromium/third_party/skia/src/core/SkMallocPixelRef.cpp
+++ b/chromium/third_party/skia/src/core/SkMallocPixelRef.cpp
@@ -30,12 +30,10 @@ sk_sp<SkPixelRef> SkMallocPixelRef::MakeAllocate(const SkImageInfo& info, size_t
if (!is_valid(info) || !info.validRowBytes(rowBytes)) {
return nullptr;
}
- size_t size = 0;
- if (!info.isEmpty() && rowBytes) {
- size = info.computeByteSize(rowBytes);
- if (SkImageInfo::ByteSizeOverflowed(size)) {
- return nullptr;
- }
+
+ size_t size = info.computeByteSize(rowBytes);
+ if (SkImageInfo::ByteSizeOverflowed(size)) {
+ return nullptr;
}
void* addr = sk_calloc_canfail(size);
if (nullptr == addr) {
View Lorry Controller Status