diff options
author | Justin Novosad <junov@chromium.org> | 2022-05-26 12:51:14 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-07-25 16:36:30 +0000 |
commit | 3125a156f348ecf31c72db9a855a2734e8aa0464 (patch) | |
tree | 6b245c18baddd83b59f6b4cd73cccdd9ea54ea66 /chromium | |
parent | ce46a1995819e314b0913e1457800081aacdac1e (diff) |
[Backport] CVE-2022-2010: Out of bounds read in compositing
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3669596:
PaintOpReader: Harden PaintImage deserialization
This fix prevents the deserialization of PaintImage pixel data from
reading data out of bounds when the block of serialized pixel data isn't
large enough to cover the expected amount of data, given the size and
format of the image.
Bug: 1325298
Change-Id: Icbeb405d2031d7d8ce4537836d7996ce7885f6d1
Commit-Queue: Justin Novosad <junov@chromium.org>
Reviewed-by: Jonathan Ross <jonross@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1007804}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'chromium')
-rw-r--r-- | chromium/cc/paint/paint_op_reader.cc | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/chromium/cc/paint/paint_op_reader.cc b/chromium/cc/paint/paint_op_reader.cc index df1e7e6818d..0979f663017 100644 --- a/chromium/cc/paint/paint_op_reader.cc +++ b/chromium/cc/paint/paint_op_reader.cc @@ -320,6 +320,10 @@ void PaintOpReader::Read(PaintImage* image) { SkImageInfo image_info = SkImageInfo::Make(width, height, color_type, kPremul_SkAlphaType); + if (pixel_size < image_info.computeMinByteSize()) { + SetInvalid(); + return; + } const volatile void* pixel_data = ExtractReadableMemory(pixel_size); if (!valid_) return; |