[Backport] CVE-2020-6523: Out of bounds write in Skia

Manual cherry-pick of patch originally reviewed on
Drop SkTextBlobs with > 2M glyphs.

This will guard against buffer overflows
for large text blobs.

Bug: chromium:1080481
Change-Id: I13a10869babfa149a70c2f4caebb3a1ae4452b77
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 13 insertions, 0 deletions

diff --git a/chromium/third_party/skia/src/core/SkCanvas.cpp b/chromium/third_party/skia/src/core/SkCanvas.cpp
index 46fee6110da..51efa67fe4b 100644
--- a/chromium/third_party/skia/src/core/SkCanvas.cpp
+++ b/chromium/third_party/skia/src/core/SkCanvas.cpp
@@ -2699,6 +2699,19 @@ void SkCanvas::drawTextBlob(const SkTextBlob* blob, SkScalar x, SkScalar y,
     TRACE_EVENT0("skia", TRACE_FUNC);
     RETURN_ON_NULL(blob);
     RETURN_ON_FALSE(blob->bounds().makeOffset(x, y).isFinite());
+
+    // Overflow if more than 2^21 glyphs stopping a buffer overflow latter in the stack.
+    // See chromium:1080481
+    // TODO: can consider unrolling a few at a time if this limit becomes a problem.
+    int totalGlyphCount = 0;
+    constexpr int kMaxGlyphCount = 1 << 21;
+    SkTextBlob::Iter i(*blob);
+    SkTextBlob::Iter::Run r;
+    while (i.next(&r)) {
+        int glyphsLeft = kMaxGlyphCount - totalGlyphCount;
+        RETURN_ON_FALSE(r.fGlyphCount <= glyphsLeft);
+        totalGlyphCount += r.fGlyphCount;
+    }
     this->onDrawTextBlob(blob, x, y, paint);
 }