diff options
author | Robert Phillips <robertphillips@google.com> | 2020-09-14 18:54:13 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-10-14 07:35:21 +0000 |
commit | 95bf758e9e5d48ea2fbf83b111dafaeae5832e26 (patch) | |
tree | d1e52604487ebf444c059036318f3c66c3c1ef19 | |
parent | d6e06841443a40c99efd209bce6c96c8a7659c34 (diff) | |
download | qtwebengine-chromium-95bf758e9e5d48ea2fbf83b111dafaeae5832e26.tar.gz |
[Backport] CVE-2020-15968: Use after free in Blink
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2405644:
Disallow creation of CanvasResourceProviders for zero sized images
Bug: 1126424
Change-Id: I17ddbdce78d89a997a73c37f18cd945b83936f7f
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc b/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc index d67da4a7740..952957a0a87 100644 --- a/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc +++ b/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc @@ -398,6 +398,9 @@ std::unique_ptr<CanvasResourceProvider> CanvasResourceProvider::Create( const ResourceType* resource_type_fallback_list = nullptr; size_t list_length = 0; + if (size.Width() <= 0 || size.Height() <= 0) + return nullptr; + switch (usage) { case kSoftwareResourceUsage: resource_type_fallback_list = kSoftwareFallbackList; |