diff options
| author | Mike Wasserman <msw@chromium.org> | 2022-01-28 01:49:41 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-03 20:18:31 +0000 |
| commit | 8d236143ced33de0e3d5522e87e5ece6d9f08811 (patch) | |
| tree | c8b3f63e6e58b7795d2826637c523e670881d251 /chromium/content | |
| parent | 197575fd8d9b9011b3b59418dc02a9dc93f9a8de (diff) | |
| download | qtwebengine-chromium-8d236143ced33de0e3d5522e87e5ece6d9f08811.tar.gz | |
[Backport] CVE-2022-1138: Inappropriate implementation in Web Cursor.
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3413912:
Make web cursor size limits match on browser and renderer
Use NSCursor arrowCursor on Mac for ui::mojom::CursorType::kNull.
(i.e. when WebCursor is constructed with an overly large custom cursor)
Bug: 1246188
Test: Automated unit tests and WPTs
Change-Id: I89627fa13cba96b755b8f80adbc91cfc865b6b1b
Reviewed-by: Henrique Ferreiro <hferreiro@igalia.com>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Commit-Queue: Mike Wasserman <msw@chromium.org>
Auto-Submit: Mike Wasserman <msw@chromium.org>
Cr-Commit-Position: refs/heads/main@{#964378}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'chromium/content')
| -rw-r--r-- | chromium/content/common/cursors/webcursor.cc | 11 | ||||
| -rw-r--r-- | chromium/content/common/cursors/webcursor_mac.mm | 1 |
2 files changed, 7 insertions, 5 deletions
diff --git a/chromium/content/common/cursors/webcursor.cc b/chromium/content/common/cursors/webcursor.cc index c8b6b9d3f75..b6e0d02879c 100644 --- a/chromium/content/common/cursors/webcursor.cc +++ b/chromium/content/common/cursors/webcursor.cc @@ -22,16 +22,17 @@ WebCursor::WebCursor(const ui::Cursor& cursor) { WebCursor::WebCursor(const WebCursor& other) = default; bool WebCursor::SetCursor(const ui::Cursor& cursor) { - static constexpr int kMaxSize = 1024; + // This value matches kMaximumCursorSize from Blink's EventHandler. + static constexpr int kMaximumCursorSize = 128; if (cursor.image_scale_factor() < 0.01f || cursor.image_scale_factor() > 100.f || (cursor.type() == ui::mojom::CursorType::kCustom && - (cursor.custom_bitmap().width() > kMaxSize || - cursor.custom_bitmap().height() > kMaxSize || + (cursor.custom_bitmap().width() > kMaximumCursorSize || + cursor.custom_bitmap().height() > kMaximumCursorSize || cursor.custom_bitmap().width() / cursor.image_scale_factor() > - kMaxSize || + kMaximumCursorSize || cursor.custom_bitmap().height() / cursor.image_scale_factor() > - kMaxSize))) { + kMaximumCursorSize))) { return false; } diff --git a/chromium/content/common/cursors/webcursor_mac.mm b/chromium/content/common/cursors/webcursor_mac.mm index f85c421f858..fdc70bdff2d 100644 --- a/chromium/content/common/cursors/webcursor_mac.mm +++ b/chromium/content/common/cursors/webcursor_mac.mm @@ -265,6 +265,7 @@ gfx::NativeCursor WebCursor::GetNativeCursor() { case ui::mojom::CursorType::kCustom: return CreateCustomCursor(cursor_); case ui::mojom::CursorType::kNull: + return [NSCursor arrowCursor]; case ui::mojom::CursorType::kDndNone: case ui::mojom::CursorType::kDndMove: case ui::mojom::CursorType::kDndCopy: |