diff options
author | Mike Reed <reed@google.com> | 2020-07-20 18:12:00 -0400 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-08-11 14:48:53 +0000 |
commit | 69a85eaabf20737316564411a66aa8d497e83135 (patch) | |
tree | db0cf37b35df635a1d66344c58c33d30d3675185 | |
parent | 10efe0032f2926cb582d1feca3377be3e3797f02 (diff) | |
download | qtwebengine-chromium-69a85eaabf20737316564411a66aa8d497e83135.tar.gz |
[Backport] CVE-2020-6548: Heap buffer overflow in Skia
Manual backport of patch originally reviewed on
https://skia-review.googlesource.com/c/skia/+/304416:
MallocPixelRef should always allocate as large as computeByteSize() says
Bug: 1103827
Change-Id: I837f92cf10a1a389fe1b0ba55ae1323e7e68f741
Reviewed-by: Ben Wagner <bungeman@google.com>
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/skia/src/core/SkMallocPixelRef.cpp | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/chromium/third_party/skia/src/core/SkMallocPixelRef.cpp b/chromium/third_party/skia/src/core/SkMallocPixelRef.cpp index d998029a2be..8e7db5ebb41 100644 --- a/chromium/third_party/skia/src/core/SkMallocPixelRef.cpp +++ b/chromium/third_party/skia/src/core/SkMallocPixelRef.cpp @@ -30,12 +30,10 @@ sk_sp<SkPixelRef> SkMallocPixelRef::MakeAllocate(const SkImageInfo& info, size_t if (!is_valid(info) || !info.validRowBytes(rowBytes)) { return nullptr; } - size_t size = 0; - if (!info.isEmpty() && rowBytes) { - size = info.computeByteSize(rowBytes); - if (SkImageInfo::ByteSizeOverflowed(size)) { - return nullptr; - } + + size_t size = info.computeByteSize(rowBytes); + if (SkImageInfo::ByteSizeOverflowed(size)) { + return nullptr; } void* addr = sk_calloc_canfail(size); if (nullptr == addr) { |