[Backport] CVE-2022-2010: Out of bounds read in compositing

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3669596: PaintOpReader: Harden PaintImage deserialization This fix prevents the deserialization of PaintImage pixel data from reading data out of bounds when the block of serialized pixel data isn't large enough to cover the expected amount of data, given the size and format of the image. Bug: 1325298 Change-Id: Icbeb405d2031d7d8ce4537836d7996ce7885f6d1 Commit-Queue: Justin Novosad <junov@chromium.org> Reviewed-by: Jonathan Ross <jonross@chromium.org> Cr-Commit-Position: refs/heads/main@{#1007804} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Justin Novosad <junov@chromium.org> 2022-05-26 12:51:14 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2022-07-25 16:36:30 +0000
commit: 3125a156f348ecf31c72db9a855a2734e8aa0464 (patch)
tree: 6b245c18baddd83b59f6b4cd73cccdd9ea54ea66 /chromium
parent: ce46a1995819e314b0913e1457800081aacdac1e (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/chromium/cc/paint/paint_op_reader.cc b/chromium/cc/paint/paint_op_reader.cc
index df1e7e6818d..0979f663017 100644
--- a/chromium/cc/paint/paint_op_reader.cc
+++ b/chromium/cc/paint/paint_op_reader.cc
@@ -320,6 +320,10 @@ void PaintOpReader::Read(PaintImage* image) {
 
         SkImageInfo image_info =
             SkImageInfo::Make(width, height, color_type, kPremul_SkAlphaType);
+        if (pixel_size < image_info.computeMinByteSize()) {
+          SetInvalid();
+          return;
+        }
         const volatile void* pixel_data = ExtractReadableMemory(pixel_size);
         if (!valid_)
           return;
author	Justin Novosad <junov@chromium.org>	2022-05-26 12:51:14 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2022-07-25 16:36:30 +0000
commit	3125a156f348ecf31c72db9a855a2734e8aa0464 (patch)
tree	6b245c18baddd83b59f6b4cd73cccdd9ea54ea66 /chromium
parent	ce46a1995819e314b0913e1457800081aacdac1e (diff)