[Backport] CVE-2020-15968: Use after free in Blink

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2405644: Disallow creation of CanvasResourceProviders for zero sized images Bug: 1126424 Change-Id: I17ddbdce78d89a997a73c37f18cd945b83936f7f Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Robert Phillips <robertphillips@google.com> 2020-09-14 18:54:13 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2020-10-14 07:35:21 +0000
commit: 95bf758e9e5d48ea2fbf83b111dafaeae5832e26 (patch)
tree: d1e52604487ebf444c059036318f3c66c3c1ef19
parent: d6e06841443a40c99efd209bce6c96c8a7659c34 (diff)
download: qtwebengine-chromium-95bf758e9e5d48ea2fbf83b111dafaeae5832e26.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc b/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc
index d67da4a7740..952957a0a87 100644
--- a/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc
+++ b/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc
@@ -398,6 +398,9 @@ std::unique_ptr<CanvasResourceProvider> CanvasResourceProvider::Create(
   const ResourceType* resource_type_fallback_list = nullptr;
   size_t list_length = 0;
 
+  if (size.Width() <= 0 || size.Height() <= 0)
+    return nullptr;
+
   switch (usage) {
     case kSoftwareResourceUsage:
       resource_type_fallback_list = kSoftwareFallbackList;
author	Robert Phillips <robertphillips@google.com>	2020-09-14 18:54:13 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2020-10-14 07:35:21 +0000
commit	95bf758e9e5d48ea2fbf83b111dafaeae5832e26 (patch)
tree	d1e52604487ebf444c059036318f3c66c3c1ef19
parent	d6e06841443a40c99efd209bce6c96c8a7659c34 (diff)
download	qtwebengine-chromium-95bf758e9e5d48ea2fbf83b111dafaeae5832e26.tar.gz