diff options
author | Robert Phillips <robertphillips@google.com> | 2020-09-14 18:54:13 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-10-21 12:12:32 +0000 |
commit | 9f5fde5b64966dfeaa4573e06463f35cbf2bcf5a (patch) | |
tree | 19f711b2c48a58e33b85b7774c7b9da05addf3de | |
parent | 308da5d58b459b0f377dcf9e577d1e29111437da (diff) | |
download | qtwebengine-chromium-9f5fde5b64966dfeaa4573e06463f35cbf2bcf5a.tar.gz |
[Backport] CVE-2020-15968: Use after free in Blink
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2405644:
Disallow creation of CanvasResourceProviders for zero sized images
Bug: 1126424
Change-Id: I17ddbdce78d89a997a73c37f18cd945b83936f7f
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc b/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc index 7955722efa4..ff9e159cbe5 100644 --- a/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc +++ b/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc @@ -930,6 +930,9 @@ CanvasResourceProvider::CreateSharedImageProvider( if (!context_provider_wrapper) return nullptr; + if (size.Width() <= 0 || size.Height() <= 0) + return nullptr; + const auto& caps = context_provider_wrapper->ContextProvider()->GetCapabilities(); if (size.Width() > caps.max_texture_size || |