[Backport] Security bug 327183408

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5382202:
Fix PaintImage deserialization arbitrary-read issue

(cherry picked from commit 47e8386c97ac7a84a96866fbd35422b99a01de5a)

Bug: 327183408
Change-Id: I09927fbae60b666aaa370e3aba01607cdb977a25
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5370455
Reviewed-by: Sunny Sachanandani <[email protected]>
Commit-Queue: Peng Huang <[email protected]>
Cr-Original-Commit-Position: refs/heads/main@{#1272930}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5382202
Auto-Submit: Peng Huang <[email protected]>
Commit-Queue: Sunny Sachanandani <[email protected]>
Cr-Commit-Position: refs/branch-heads/6261@{#1106}
Cr-Branched-From: 9755d9d81e4a8cb5b4f76b23b761457479dbb06b-refs/heads/main@{#1250580}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554627
Reviewed-by: Michal Klocek <[email protected]>

Author: phuang

chromium/cc/paint/paint_op_reader.cc

@@ -1572,9 +1572,10 @@ inline void PaintOpReader::DidRead(size_t bytes_read) {
   // All data are aligned with PaintOpWriter::kDefaultAlignment at least.
   size_t aligned_bytes =
       base::bits::AlignUp(bytes_read, PaintOpWriter::kDefaultAlignment);
-  memory_ += aligned_bytes;
   DCHECK_LE(aligned_bytes, remaining_bytes_);
-  remaining_bytes_ -= aligned_bytes;
+  bytes_read = std::min(aligned_bytes, remaining_bytes_);
+  memory_ += bytes_read;
+  remaining_bytes_ -= bytes_read;
 }
 
 }  // namespace cc