diff options
| author | Mike Wasserman <msw@chromium.org> | 2022-01-28 01:49:41 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-03 20:15:52 +0000 |
| commit | f53d34e8678949a091ab54c573296ba855e8dda4 (patch) | |
| tree | 90ba6ba81d35a02c3c3aaf55cedf58bceac59fea | |
| parent | afe46e6fa7b5dee8f666ef76404bf80fa37a9a56 (diff) | |
| download | qtwebengine-chromium-f53d34e8678949a091ab54c573296ba855e8dda4.tar.gz | |
[Backport] CVE-2022-1138: Inappropriate implementation in Web Cursor.
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3413912:
Make web cursor size limits match on browser and renderer
Use NSCursor arrowCursor on Mac for ui::mojom::CursorType::kNull.
(i.e. when WebCursor is constructed with an overly large custom cursor)
Bug: 1246188
Test: Automated unit tests and WPTs
Change-Id: I89627fa13cba96b755b8f80adbc91cfc865b6b1b
Reviewed-by: Henrique Ferreiro <hferreiro@igalia.com>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Commit-Queue: Mike Wasserman <msw@chromium.org>
Auto-Submit: Mike Wasserman <msw@chromium.org>
Cr-Commit-Position: refs/heads/main@{#964378}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/content/common/cursors/webcursor.cc | 11 | ||||
| -rw-r--r-- | chromium/content/common/cursors/webcursor_mac.mm | 1 |
2 files changed, 7 insertions, 5 deletions
diff --git a/chromium/content/common/cursors/webcursor.cc b/chromium/content/common/cursors/webcursor.cc index a9d5a6f64fb..0ce6024377a 100644 --- a/chromium/content/common/cursors/webcursor.cc +++ b/chromium/content/common/cursors/webcursor.cc @@ -32,16 +32,17 @@ WebCursor& WebCursor::operator=(const WebCursor& other) { } bool WebCursor::SetCursor(const ui::Cursor& cursor) { - static constexpr int kMaxSize = 1024; + // This value matches kMaximumCursorSize from Blink's EventHandler. + static constexpr int kMaximumCursorSize = 128; if (cursor.image_scale_factor() < 0.01f || cursor.image_scale_factor() > 100.f || (cursor.type() == ui::mojom::CursorType::kCustom && - (cursor.custom_bitmap().width() > kMaxSize || - cursor.custom_bitmap().height() > kMaxSize || + (cursor.custom_bitmap().width() > kMaximumCursorSize || + cursor.custom_bitmap().height() > kMaximumCursorSize || cursor.custom_bitmap().width() / cursor.image_scale_factor() > - kMaxSize || + kMaximumCursorSize || cursor.custom_bitmap().height() / cursor.image_scale_factor() > - kMaxSize))) { + kMaximumCursorSize))) { return false; } diff --git a/chromium/content/common/cursors/webcursor_mac.mm b/chromium/content/common/cursors/webcursor_mac.mm index 0fd7909e30d..88e103a08c0 100644 --- a/chromium/content/common/cursors/webcursor_mac.mm +++ b/chromium/content/common/cursors/webcursor_mac.mm @@ -264,6 +264,7 @@ gfx::NativeCursor WebCursor::GetNativeCursor() { case ui::mojom::CursorType::kCustom: return CreateCustomCursor(cursor_); case ui::mojom::CursorType::kNull: + return [NSCursor arrowCursor]; case ui::mojom::CursorType::kDndNone: case ui::mojom::CursorType::kDndMove: case ui::mojom::CursorType::kDndCopy: |