diff options
author | Gregg Tavares <gman@chromium.org> | 2022-03-29 03:11:52 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-03 20:17:12 +0000 |
commit | a7ab734011f495d86c1461fbb1fe1bf78d958ea7 (patch) | |
tree | f894d9295c9f55269bcf7bdc850439c44c6735e8 | |
parent | 0aa47bd2a81ddb206ac00bb48bc99d24bae89490 (diff) | |
download | qtwebengine-chromium-a7ab734011f495d86c1461fbb1fe1bf78d958ea7.tar.gz |
[Backport] CVE-2022-1482: Inappropriate implementation in WebGL.
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3556686:
Check for error when calling ComputeImageSizeInBytes
Bug: chromium:1304987
Change-Id: I8311231156fca3200ce74d79db59d910a1a0e33a
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Commit-Queue: Gregg Tavares <gman@chromium.org>
Cr-Commit-Position: refs/heads/main@{#986304}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/platform/graphics/gpu/webgl_image_conversion.cc | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/platform/graphics/gpu/webgl_image_conversion.cc b/chromium/third_party/blink/renderer/platform/graphics/gpu/webgl_image_conversion.cc index 8355cb96cb4..04880ad2c1e 100644 --- a/chromium/third_party/blink/renderer/platform/graphics/gpu/webgl_image_conversion.cc +++ b/chromium/third_party/blink/renderer/platform/graphics/gpu/webgl_image_conversion.cc @@ -3996,8 +3996,10 @@ bool WebGLImageConversion::ExtractTextureData( data.resize(width * height * bytes_per_pixel); unsigned image_size_in_bytes, skip_size_in_bytes; - ComputeImageSizeInBytes(format, type, width, height, 1, unpack_params, - &image_size_in_bytes, nullptr, &skip_size_in_bytes); + if (ComputeImageSizeInBytes(format, type, width, height, 1, unpack_params, + &image_size_in_bytes, nullptr, + &skip_size_in_bytes) != GL_NO_ERROR) + return false; const uint8_t* src_data = static_cast<const uint8_t*>(pixels); if (skip_size_in_bytes) { src_data += skip_size_in_bytes; |