From 3125a156f348ecf31c72db9a855a2734e8aa0464 Mon Sep 17 00:00:00 2001
From: Justin Novosad <junov@chromium.org>
Date: Thu, 26 May 2022 12:51:14 +0000
Subject: [Backport] CVE-2022-2010: Out of bounds read in compositing

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3669596:
PaintOpReader: Harden PaintImage deserialization

This fix prevents the deserialization of PaintImage pixel data from
reading data out of bounds when the block of serialized pixel data isn't
large enough to cover the expected amount of data, given the size and
format of the image.

Bug: 1325298
Change-Id: Icbeb405d2031d7d8ce4537836d7996ce7885f6d1
Commit-Queue: Justin Novosad <junov@chromium.org>
Reviewed-by: Jonathan Ross <jonross@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1007804}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/cc/paint/paint_op_reader.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/chromium/cc/paint/paint_op_reader.cc b/chromium/cc/paint/paint_op_reader.cc
index df1e7e6818d..0979f663017 100644
--- a/chromium/cc/paint/paint_op_reader.cc
+++ b/chromium/cc/paint/paint_op_reader.cc
@@ -320,6 +320,10 @@ void PaintOpReader::Read(PaintImage* image) {
 
         SkImageInfo image_info =
             SkImageInfo::Make(width, height, color_type, kPremul_SkAlphaType);
+        if (pixel_size < image_info.computeMinByteSize()) {
+          SetInvalid();
+          return;
+        }
         const volatile void* pixel_data = ExtractReadableMemory(pixel_size);
         if (!valid_)
           return;
-- 
cgit v1.2.3