From 9be549ff9c718f31e55e42f36ea270d42f77513c Mon Sep 17 00:00:00 2001
From: chenyang <chenyang322@h-partners.com>
Date: Thu, 29 Feb 2024 18:59:30 +0800
Subject: [PATCH] =?UTF-8?q?fixed=20ce98619=20from=20https://gitee.com/chen?=
 =?UTF-8?q?yang322/chromium=5Fthird=5Fparty/pulls/159=20=E4=BF=AE=E5=A4=8D?=
 =?UTF-8?q?CVE-2024-1283?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: chenyang <chenyang322@h-partners.com>
---
 .../image-decoders/bmp/bmp_image_reader.cc      | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/blink/renderer/platform/image-decoders/bmp/bmp_image_reader.cc b/blink/renderer/platform/image-decoders/bmp/bmp_image_reader.cc
index 01a1ca9325..0b71db2ab9 100644
--- a/blink/renderer/platform/image-decoders/bmp/bmp_image_reader.cc
+++ b/blink/renderer/platform/image-decoders/bmp/bmp_image_reader.cc
@@ -826,8 +826,10 @@ BMPImageReader::ProcessingResult BMPImageReader::ProcessRLEData() {
     // the image.
     const uint8_t count = ReadUint8(0);
     const uint8_t code = ReadUint8(1);
-    if ((count || (code != 1)) && PastEndOfImage(0))
+    const bool is_past_end_of_image = PastEndOfImage(0);
+    if ((count || (code != 1)) && is_past_end_of_image) {
       return kFailure;
+    }
 
     // Decode.
     if (!count) {
@@ -848,7 +850,9 @@ BMPImageReader::ProcessingResult BMPImageReader::ProcessRLEData() {
               (is_top_down_ ? (coord_.y() < (parent_->Size().height() - 1))
                             : (coord_.y() > 0)))
             buffer_->SetHasAlpha(true);
-          ColorCorrectCurrentRow();
+          if (!is_past_end_of_image) {
+            ColorCorrectCurrentRow();
+          }
           // There's no need to move |coord_| here to trigger the caller
           // to call SetPixelsChanged().  If the only thing that's changed
           // is the alpha state, that will be properly written into the
@@ -1060,6 +1064,13 @@ void BMPImageReader::ColorCorrectCurrentRow() {
   const ColorProfileTransform* const transform = parent_->ColorTransform();
   if (!transform)
     return;
+  int decoder_width = parent_->Size().width();
+  // Enforce 0 ≤ current row < bitmap height.
+  CHECK_GE(coord_.y(), 0);
+  CHECK_LT(coord_.y(), buffer_->Bitmap().height());
+  // Enforce decoder width == bitmap width exactly. (The bitmap rowbytes might
+  // add a bit of padding, but we are only converting one row at a time.)
+  CHECK_EQ(decoder_width, buffer_->Bitmap().width());
   ImageFrame::PixelData* const row = buffer_->GetAddr(0, coord_.y());
   const skcms_PixelFormat fmt = XformColorFormat();
   const skcms_AlphaFormat alpha =
@@ -1068,7 +1079,7 @@ void BMPImageReader::ColorCorrectCurrentRow() {
           : skcms_AlphaFormat_Unpremul;
   const bool success =
       skcms_Transform(row, fmt, alpha, transform->SrcProfile(), row, fmt, alpha,
-                      transform->DstProfile(), parent_->Size().width());
+                      transform->DstProfile(), decoder_width);
   DCHECK(success);
   buffer_->SetPixelsChanged(true);
 }
-- 
Gitee