[Backport] CVE-2022-1482: Inappropriate implementation in WebGL.

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3556686:
Check for error when calling ComputeImageSizeInBytes

Bug: chromium:1304987
Change-Id: I8311231156fca3200ce74d79db59d910a1a0e33a
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Commit-Queue: Gregg Tavares <gman@chromium.org>
Cr-Commit-Position: refs/heads/main@{#986304}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 4 insertions, 2 deletions

diff --git a/chromium/third_party/blink/renderer/platform/graphics/gpu/webgl_image_conversion.cc b/chromium/third_party/blink/renderer/platform/graphics/gpu/webgl_image_conversion.cc
index 8355cb96cb4..04880ad2c1e 100644
--- a/chromium/third_party/blink/renderer/platform/graphics/gpu/webgl_image_conversion.cc
+++ b/chromium/third_party/blink/renderer/platform/graphics/gpu/webgl_image_conversion.cc
@@ -3996,8 +3996,10 @@ bool WebGLImageConversion::ExtractTextureData(
   data.resize(width * height * bytes_per_pixel);
 
   unsigned image_size_in_bytes, skip_size_in_bytes;
-  ComputeImageSizeInBytes(format, type, width, height, 1, unpack_params,
-                          &image_size_in_bytes, nullptr, &skip_size_in_bytes);
+  if (ComputeImageSizeInBytes(format, type, width, height, 1, unpack_params,
+                              &image_size_in_bytes, nullptr,
+                              &skip_size_in_bytes) != GL_NO_ERROR)
+    return false;
   const uint8_t* src_data = static_cast<const uint8_t*>(pixels);
   if (skip_size_in_bytes) {
     src_data += skip_size_in_bytes;