diff options
author | Herb Derby <herb@google.com> | 2020-05-21 14:46:06 -0400 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-07-22 15:17:36 +0000 |
commit | b44a099f73782800bbd08508c2cb773f57c27e17 (patch) | |
tree | 1ec15abac3c437b424a6309c682e640986475915 | |
parent | 2c7da754bb4bcec3a61e76c42399150169d040bf (diff) | |
download | qtwebengine-chromium-b44a099f73782800bbd08508c2cb773f57c27e17.tar.gz |
[Backport] CVE-2020-6523: Out of bounds write in Skia
Manual cherry-pick of patch originally reviewed on
Drop SkTextBlobs with > 2M glyphs.
This will guard against buffer overflows
for large text blobs.
Bug: chromium:1080481
Change-Id: I13a10869babfa149a70c2f4caebb3a1ae4452b77
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/skia/src/core/SkCanvas.cpp | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/chromium/third_party/skia/src/core/SkCanvas.cpp b/chromium/third_party/skia/src/core/SkCanvas.cpp index 46fee6110da..51efa67fe4b 100644 --- a/chromium/third_party/skia/src/core/SkCanvas.cpp +++ b/chromium/third_party/skia/src/core/SkCanvas.cpp @@ -2699,6 +2699,19 @@ void SkCanvas::drawTextBlob(const SkTextBlob* blob, SkScalar x, SkScalar y, TRACE_EVENT0("skia", TRACE_FUNC); RETURN_ON_NULL(blob); RETURN_ON_FALSE(blob->bounds().makeOffset(x, y).isFinite()); + + // Overflow if more than 2^21 glyphs stopping a buffer overflow latter in the stack. + // See chromium:1080481 + // TODO: can consider unrolling a few at a time if this limit becomes a problem. + int totalGlyphCount = 0; + constexpr int kMaxGlyphCount = 1 << 21; + SkTextBlob::Iter i(*blob); + SkTextBlob::Iter::Run r; + while (i.next(&r)) { + int glyphsLeft = kMaxGlyphCount - totalGlyphCount; + RETURN_ON_FALSE(r.fGlyphCount <= glyphsLeft); + totalGlyphCount += r.fGlyphCount; + } this->onDrawTextBlob(blob, x, y, paint); } |