From f53d34e8678949a091ab54c573296ba855e8dda4 Mon Sep 17 00:00:00 2001
From: Mike Wasserman <msw@chromium.org>
Date: Fri, 28 Jan 2022 01:49:41 +0000
Subject: [Backport] CVE-2022-1138: Inappropriate implementation in Web Cursor.

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3413912:
Make web cursor size limits match on browser and renderer

Use NSCursor arrowCursor on Mac for ui::mojom::CursorType::kNull.
(i.e. when WebCursor is constructed with an overly large custom cursor)

Bug: 1246188
Test: Automated unit tests and WPTs
Change-Id: I89627fa13cba96b755b8f80adbc91cfc865b6b1b
Reviewed-by: Henrique Ferreiro <hferreiro@igalia.com>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Commit-Queue: Mike Wasserman <msw@chromium.org>
Auto-Submit: Mike Wasserman <msw@chromium.org>
Cr-Commit-Position: refs/heads/main@{#964378}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/content/common/cursors/webcursor.cc     | 11 ++++++-----
 chromium/content/common/cursors/webcursor_mac.mm |  1 +
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/chromium/content/common/cursors/webcursor.cc b/chromium/content/common/cursors/webcursor.cc
index a9d5a6f64fb..0ce6024377a 100644
--- a/chromium/content/common/cursors/webcursor.cc
+++ b/chromium/content/common/cursors/webcursor.cc
@@ -32,16 +32,17 @@ WebCursor& WebCursor::operator=(const WebCursor& other) {
 }
 
 bool WebCursor::SetCursor(const ui::Cursor& cursor) {
-  static constexpr int kMaxSize = 1024;
+  // This value matches kMaximumCursorSize from Blink's EventHandler.
+  static constexpr int kMaximumCursorSize = 128;
   if (cursor.image_scale_factor() < 0.01f ||
       cursor.image_scale_factor() > 100.f ||
       (cursor.type() == ui::mojom::CursorType::kCustom &&
-       (cursor.custom_bitmap().width() > kMaxSize ||
-        cursor.custom_bitmap().height() > kMaxSize ||
+       (cursor.custom_bitmap().width() > kMaximumCursorSize ||
+        cursor.custom_bitmap().height() > kMaximumCursorSize ||
         cursor.custom_bitmap().width() / cursor.image_scale_factor() >
-            kMaxSize ||
+            kMaximumCursorSize ||
         cursor.custom_bitmap().height() / cursor.image_scale_factor() >
-            kMaxSize))) {
+            kMaximumCursorSize))) {
     return false;
   }
 
diff --git a/chromium/content/common/cursors/webcursor_mac.mm b/chromium/content/common/cursors/webcursor_mac.mm
index 0fd7909e30d..88e103a08c0 100644
--- a/chromium/content/common/cursors/webcursor_mac.mm
+++ b/chromium/content/common/cursors/webcursor_mac.mm
@@ -264,6 +264,7 @@ gfx::NativeCursor WebCursor::GetNativeCursor() {
     case ui::mojom::CursorType::kCustom:
       return CreateCustomCursor(cursor_);
     case ui::mojom::CursorType::kNull:
+      return [NSCursor arrowCursor];
     case ui::mojom::CursorType::kDndNone:
     case ui::mojom::CursorType::kDndMove:
     case ui::mojom::CursorType::kDndCopy:
-- 
cgit v1.2.1