chore: cherry-pick f1504440487f from chromium (#34540)

* chore: cherry-pick f1504440487f from chromium * chore: update patches Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Co-authored-by: Electron Bot <electron@github.com>
2026-04-10 03:01:51 -04:00 · 2022-06-15 17:33:37 +02:00
parent 7162f641b5
commit 851350b9f3
2 changed files with 69 additions and 0 deletions
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -121,5 +121,6 @@ cherry-pick-6b66a45021a0.patch
 fix_xkb_keysym_reverse_look_up_for_lacros.patch
 custom_protocols_plzserviceworker.patch
 pa_support_16kb_pagesize_on_linux_arm64.patch
+cherry-pick-f1504440487f.patch
 cherry-pick-21139756239b.patch
 cherry-pick-f1dd785e021e.patch
--- a/patches/chromium/cherry-pick-f1504440487f.patch
+++ b/patches/chromium/cherry-pick-f1504440487f.patch
@@ -0,0 +1,68 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Justin Novosad <junov@chromium.org>
+Date: Thu, 2 Jun 2022 19:35:57 +0000
+Subject: PaintOpReader: Harden PaintImage deserialization
+
+This fix prevents the deserialization of PaintImage pixel data from
+reading data out of bounds when the block of serialized pixel data isn't
+large enough to cover the expected amount of data, given the size and
+format of the image.
+
+(cherry picked from commit e89ea1489429a9a9e49e70d5d4e8d018fbafb6ac)
+
+Bug: 1325298
+Change-Id: Icbeb405d2031d7d8ce4537836d7996ce7885f6d1
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3669596
+Commit-Queue: Justin Novosad <junov@chromium.org>
+Reviewed-by: Jonathan Ross <jonross@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#1007804}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3687975
+Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Reviewed-by: Justin Novosad <junov@chromium.org>
+Auto-Submit: Srinivas Sista <srinivassista@chromium.org>
+Commit-Queue: Srinivas Sista <srinivassista@chromium.org>
+Cr-Commit-Position: refs/branch-heads/5005@{#1093}
+Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}
+
+diff --git a/cc/paint/paint_op_reader.cc b/cc/paint/paint_op_reader.cc
+index c56e2ea7a641d679feb348b808519dd17b861081..ecc736b61defabd7cea081b3017bbeda9aeaf0e9 100644
+--- a/cc/paint/paint_op_reader.cc
+++ b/cc/paint/paint_op_reader.cc
+@@ -329,6 +329,10 @@ void PaintOpReader::Read(PaintImage* image) {
+ 
+         SkImageInfo image_info =
+             SkImageInfo::Make(width, height, color_type, kPremul_SkAlphaType);
+        if (pixel_size < image_info.computeMinByteSize()) {
+          SetInvalid(DeserializationError::kInsufficientPixelData);
+          return;
+        }
+         const volatile void* pixel_data = ExtractReadableMemory(pixel_size);
+         if (!valid_)
+           return;
+diff --git a/cc/paint/paint_op_reader.h b/cc/paint/paint_op_reader.h
+index 201cdfde5eea3a07e31a3d6a50a5119485d5c1fc..af784145a9365ea2f776a1020145c0b83c63f16d 100644
+--- a/cc/paint/paint_op_reader.h
+++ b/cc/paint/paint_op_reader.h
+@@ -180,8 +180,9 @@ class CC_PAINT_EXPORT PaintOpReader {
+     kSharedImageProviderNoAccess = 50,
+     kSharedImageProviderSkImageCreationFailed = 51,
+     kZeroSkColorFilterBytes = 52,
+    kInsufficientPixelData = 53,
+ 
+-    kMaxValue = kZeroSkColorFilterBytes,
+    kMaxValue = kInsufficientPixelData
+   };
+ 
+   template <typename T>
+diff --git a/tools/metrics/histograms/enums.xml b/tools/metrics/histograms/enums.xml
+index 0a822d8a7d59debfb250b98f2a2079f256715b52..34569a0fcd539bca6b465e0555c8d44677f57447 100644
+--- a/tools/metrics/histograms/enums.xml
+++ b/tools/metrics/histograms/enums.xml
+@@ -68766,6 +68766,7 @@ Called by update_net_trust_anchors.py.-->
+   <int value="50" label="SharedImageProvider no access"/>
+   <int value="51" label="SharedImageProvider SkImage creation failed"/>
+   <int value="52" label="Zero SkColorFilter bytes"/>
+  <int value="53" label="Insufficient Pixel Data"/>
+ </enum>
+ 
+ <enum name="PaletteModeCancelType">