From 6b0d12aa31ae3553db04277d46ce14f57a6e20b3 Mon Sep 17 00:00:00 2001 From: Khushal Date: Fri, 22 Nov 2019 20:47:08 +0000 Subject: [Backport] Security bug 1018629 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cherry pick of patch originally reviewed on: https://chromium-review.googlesource.com/c/chromium/src/+/1922305 blink: Handle peekPixels failure in ImageDataBuffer and add msan checks. R=fserb@chromium.org Bug: 1018629 Auto-Submit: Khushal Commit-Queue: Fernando Serboncini Reviewed-by: Fernando Serboncini Cr-Commit-Position: refs/heads/master@{#718268} Change-Id: Ied407cbaeeb920ffe0c25b39a03f485bebfe5bc0 Reviewed-by: Jüri Valdmann --- .../blink/renderer/platform/graphics/image_data_buffer.cc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc b/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc index 8e1255ce43b..fe622fba3ae 100644 --- a/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc +++ b/chromium/third_party/blink/renderer/platform/graphics/image_data_buffer.cc @@ -34,6 +34,7 @@ #include +#include "base/compiler_specific.h" #include "base/memory/ptr_util.h" #include "third_party/blink/renderer/platform/graphics/static_bitmap_image.h" #include "third_party/blink/renderer/platform/image-encoders/image_encoder.h" @@ -78,10 +79,12 @@ ImageDataBuffer::ImageDataBuffer(scoped_refptr image) { pixmap_.reset(); return; } + MSAN_CHECK_MEM_IS_INITIALIZED(pixmap_.addr(), pixmap_.computeByteSize()); retained_image_ = SkImage::MakeRasterData(info, std::move(data), rowBytes); } else { if (!retained_image_->peekPixels(&pixmap_)) return; + MSAN_CHECK_MEM_IS_INITIALIZED(pixmap_.addr(), pixmap_.computeByteSize()); } is_valid_ = true; size_ = IntSize(image->width(), image->height()); @@ -161,7 +164,9 @@ String ImageDataBuffer::ToDataURL(const ImageEncodingMimeType mime_type, if (!pixmap.colorSpace()->isSRGB()) { skia_image = SkImage::MakeFromRaster(pixmap, nullptr, nullptr); skia_image = skia_image->makeColorSpace(SkColorSpace::MakeSRGB()); - skia_image->peekPixels(&pixmap); + if (!skia_image->peekPixels(&pixmap)) + return "data:,"; + MSAN_CHECK_MEM_IS_INITIALIZED(pixmap.addr(), pixmap.computeByteSize()); } pixmap.setColorSpace(nullptr); } -- cgit v1.2.1