[Backport] CVE-2020-6576: Use after free in offscreen canvas

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2358574:
Use a resource after Free in OffscreenCanvasRC::DrawTextInternal()

In OffscreenCanvasRenderingContext::DrawTextInternal(), |paint_canvas|
can be freed in the draw command in BaseRenderingContext. We then use
the |paint_canvas| causes the security bug that we are using a resource
after it's freed.

Looking at how |paint_canvas| is used in the method DrawTextInternal(),
restore a cleared |paint_canvas| is not really necessary. So I removed
it's only restored if the canvas is not cleared (i.e. canvas is not
freed).

Bug: 1111737
Change-Id: I699b855434f7ddfbc678d2a9cfe25fe4938a798a
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 8 insertions, 2 deletions

diff --git a/chromium/third_party/blink/renderer/modules/canvas/offscreencanvas2d/offscreen_canvas_rendering_context_2d.cc b/chromium/third_party/blink/renderer/modules/canvas/offscreencanvas2d/offscreen_canvas_rendering_context_2d.cc
index bc2b60c9771..83c3db05ca0 100644
--- a/chromium/third_party/blink/renderer/modules/canvas/offscreencanvas2d/offscreen_canvas_rendering_context_2d.cc
+++ b/chromium/third_party/blink/renderer/modules/canvas/offscreencanvas2d/offscreen_canvas_rendering_context_2d.cc
@@ -578,8 +578,14 @@ void OffscreenCanvasRenderingContext2D::DrawTextInternal(
       [](const SkIRect& rect)  // overdraw test lambda
       { return false; },
       bounds, paint_type);
-  paint_canvas->restoreToCount(save_count);
-  ValidateStateStack();
+
+  // |paint_canvas| maybe rese during Draw. If that happens,
+  // GetOrCreatePaintCanvas will create a new |paint_canvas| and return a new
+  // address. In this case, there is no need to call |restoreToCount|.
+  if (paint_canvas == GetOrCreatePaintCanvas()) {
+    paint_canvas->restoreToCount(save_count);
+    ValidateStateStack();
+  }
 }
 
 TextMetrics* OffscreenCanvasRenderingContext2D::measureText(