From b44a099f73782800bbd08508c2cb773f57c27e17 Mon Sep 17 00:00:00 2001
From: Herb Derby <herb@google.com>
Date: Thu, 21 May 2020 14:46:06 -0400
Subject: [Backport] CVE-2020-6523: Out of bounds write in Skia

Manual cherry-pick of patch originally reviewed on
Drop SkTextBlobs with > 2M glyphs.

This will guard against buffer overflows
for large text blobs.

Bug: chromium:1080481
Change-Id: I13a10869babfa149a70c2f4caebb3a1ae4452b77
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 chromium/third_party/skia/src/core/SkCanvas.cpp | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/chromium/third_party/skia/src/core/SkCanvas.cpp b/chromium/third_party/skia/src/core/SkCanvas.cpp
index 46fee6110da..51efa67fe4b 100644
--- a/chromium/third_party/skia/src/core/SkCanvas.cpp
+++ b/chromium/third_party/skia/src/core/SkCanvas.cpp
@@ -2699,6 +2699,19 @@ void SkCanvas::drawTextBlob(const SkTextBlob* blob, SkScalar x, SkScalar y,
     TRACE_EVENT0("skia", TRACE_FUNC);
     RETURN_ON_NULL(blob);
     RETURN_ON_FALSE(blob->bounds().makeOffset(x, y).isFinite());
+
+    // Overflow if more than 2^21 glyphs stopping a buffer overflow latter in the stack.
+    // See chromium:1080481
+    // TODO: can consider unrolling a few at a time if this limit becomes a problem.
+    int totalGlyphCount = 0;
+    constexpr int kMaxGlyphCount = 1 << 21;
+    SkTextBlob::Iter i(*blob);
+    SkTextBlob::Iter::Run r;
+    while (i.next(&r)) {
+        int glyphsLeft = kMaxGlyphCount - totalGlyphCount;
+        RETURN_ON_FALSE(r.fGlyphCount <= glyphsLeft);
+        totalGlyphCount += r.fGlyphCount;
+    }
     this->onDrawTextBlob(blob, x, y, paint);
 }
 
-- 
cgit v1.2.1