Use a resource after Free in OffscreenCanvasRC::DrawTextInternal()

In OffscreenCanvasRenderingContext::DrawTextInternal(), |paint_canvas| can be freed in the draw command in BaseRenderingContext. We then use the |paint_canvas| causes the security bug that we are using a resource after it's freed. Looking at how |paint_canvas| is used in the method DrawTextInternal(), restore a cleared |paint_canvas| is not really necessary. So I removed it's only restored if the canvas is not cleared (i.e. canvas is not freed). Bug: 1111737 Change-Id: I699b855434f7ddfbc678d2a9cfe25fe4938a798a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2358574 Commit-Queue: Yi Xu <yiyix@chromium.org> Reviewed-by: Fernando Serboncini <fserb@chromium.org> Reviewed-by: Aaron Krajeski <aaronhk@chromium.org> Cr-Commit-Position: refs/heads/master@{#802508}

Use a resource after Free in OffscreenCanvasRC::DrawTextInternal()
In OffscreenCanvasRenderingContext::DrawTextInternal(), |paint_canvas| can be freed in the draw command in BaseRenderingContext. We then use the |paint_canvas| causes the security bug that we are using a resource after it's freed. Looking at how |paint_canvas| is used in the method DrawTextInternal(), restore a cleared |paint_canvas| is not really necessary. So I removed it's only restored if the canvas is not cleared (i.e. canvas is not freed). Bug: 1111737 Change-Id: I699b855434f7ddfbc678d2a9cfe25fe4938a798a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2358574 Commit-Queue: Yi Xu <yiyix@chromium.org> Reviewed-by: Fernando Serboncini <fserb@chromium.org> Reviewed-by: Aaron Krajeski <aaronhk@chromium.org> Cr-Commit-Position: refs/heads/master@{#802508}
15c4ec7c · yiyix · Commit Bot · be6c3c92 · 15c4ec7c · 15c4ec7c
Commit 15c4ec7c authored Aug 28, 2020 by yiyix Committed by Commit Bot Aug 28, 2020
2 changed files
--- a/third_party/blink/renderer/modules/canvas/offscreencanvas2d/offscreen_canvas_rendering_context_2d.cc
+++ b/third_party/blink/renderer/modules/canvas/offscreencanvas2d/offscreen_canvas_rendering_context_2d.cc
@@ -576,8 +576,14 @@ void OffscreenCanvasRenderingContext2D::DrawTextInternal(
      [](const SkIRect& rect)  // overdraw test lambda
      { return false; },
      bounds, paint_type, CanvasRenderingContext2DState::kNoImage);
-  paint_canvas->restoreToCount(save_count);
-  ValidateStateStack();
+
+  // |paint_canvas| maybe rese during Draw. If that happens,
+  // GetOrCreatePaintCanvas will create a new |paint_canvas| and return a new
+  // address. In this case, there is no need to call |restoreToCount|.
+  if (paint_canvas == GetOrCreatePaintCanvas()) {
+    paint_canvas->restoreToCount(save_count);
+    ValidateStateStack();
+  }
 }

 TextMetrics* OffscreenCanvasRenderingContext2D::measureText(

--- a/third_party/blink/web_tests/fast/canvas/OffscreenCanvas-drawText.html
+++ b/third_party/blink/web_tests/fast/canvas/OffscreenCanvas-drawText.html
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+<script type="text/javasctipt" id="worker">
+  var offscreenCanvas = new OffscreenCanvas(100, 100);
+  var ctx = offscreenCanvas.getContext("2d");
+  ctx.globalCompositeOperation = "copy";
+  ctx.rect(10, 10, 150, 100);
+  ctx.fill("evenodd");
+  ctx.lineTo(1,1);
+  ctx.fillText("", 1, 1);
+</script>
+<script>
+test(function() {
+    const worker = new Worker(
+        URL.createObjectURL(
+            new Blob(
+                [document.querySelector("#worker").textContent],
+                {type: 'text/javascript'}
+            )
+        )
+    );
+}, "crbug.com/1111737, pass by not crashing.");
+</script>