summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Phillips <robertphillips@google.com>2020-09-14 18:54:13 +0000
committerMichael BrĂ¼ning <michael.bruning@qt.io>2020-10-21 12:12:32 +0000
commit9f5fde5b64966dfeaa4573e06463f35cbf2bcf5a (patch)
tree19f711b2c48a58e33b85b7774c7b9da05addf3de
parent308da5d58b459b0f377dcf9e577d1e29111437da (diff)
downloadqtwebengine-chromium-9f5fde5b64966dfeaa4573e06463f35cbf2bcf5a.tar.gz
[Backport] CVE-2020-15968: Use after free in Blink
Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2405644: Disallow creation of CanvasResourceProviders for zero sized images Bug: 1126424 Change-Id: I17ddbdce78d89a997a73c37f18cd945b83936f7f Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r--chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc3
1 files changed, 3 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc b/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc
index 7955722efa4..ff9e159cbe5 100644
--- a/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc
+++ b/chromium/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc
@@ -930,6 +930,9 @@ CanvasResourceProvider::CreateSharedImageProvider(
if (!context_provider_wrapper)
return nullptr;
+ if (size.Width() <= 0 || size.Height() <= 0)
+ return nullptr;
+
const auto& caps =
context_provider_wrapper->ContextProvider()->GetCapabilities();
if (size.Width() > caps.max_texture_size ||