[Backport] Security bug 1123035

Manual backport of patch originally reviewed on
https://skia-review.googlesource.com/c/skia/+/315219:
Limit morphology radius to 100 pixels

This limit is arbitrary, but hopefully prevents pathological (or
malicious) SVG content from consuming huge amounts of CPU/GPU time,
without impacting any legitimate uses of feMorphology. (Typical usage
has a much smaller radius).

Bug: chromium:1123035
Change-Id: I4405bc595128e9a6287eb5efa1be14621baa3a00
Reviewed-by: Mike Reed <reed@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 5 insertions, 1 deletions

diff --git a/chromium/third_party/skia/src/effects/imagefilters/SkMorphologyImageFilter.cpp b/chromium/third_party/skia/src/effects/imagefilters/SkMorphologyImageFilter.cpp
index 899c5a1d57d..64a2642d291 100644
--- a/chromium/third_party/skia/src/effects/imagefilters/SkMorphologyImageFilter.cpp
+++ b/chromium/third_party/skia/src/effects/imagefilters/SkMorphologyImageFilter.cpp
@@ -538,7 +538,11 @@ sk_sp<SkSpecialImage> SkMorphologyImageFilter::onFilterImage(SkSpecialImage* sou
     int width = SkScalarFloorToInt(radius.fX);
     int height = SkScalarFloorToInt(radius.fY);
 
-    if (width < 0 || height < 0) {
+    // Width (or height) must fit in a signed 32-bit int to avoid UBSAN issues (crbug.com/1018190)
+    // Further, we limit the radius to something much smaller, to avoid extremely slow draw calls:
+    // (crbug.com/1123035):
+    constexpr int kMaxRadius = 100; // (std::numeric_limits<int>::max() - 1) / 2;
+    if (width < 0 || height < 0 || width > kMaxRadius || height > kMaxRadius) {
         return nullptr;
     }