[Backport] Security issue 974354 [1/2]

Ensure that IOSurface is not smaller than GMB size

Sending an IOSurface of a smaller size could induce writing out of
bounds.

Bug: 974354
Change-Id: I8c0228e715102a96385faf5f58aacd210ee59919
Reviewed-by: ccameron <ccameron@chromium.org>
Reviewed-by: Greg Kerr <kerrnel@chromium.org>
Reviewed-by: Sunny Sachanandani <sunnyps@chromium.org>
Commit-Queue: ccameron <ccameron@chromium.org>
Cr-Commit-Position: refs/heads/master@{#674614}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

1 files changed, 6 insertions, 0 deletions

diff --git a/chromium/gpu/ipc/common/gpu_memory_buffer_impl_io_surface.cc b/chromium/gpu/ipc/common/gpu_memory_buffer_impl_io_surface.cc
index 56862fe4e26..62a14993865 100644
--- a/chromium/gpu/ipc/common/gpu_memory_buffer_impl_io_surface.cc
+++ b/chromium/gpu/ipc/common/gpu_memory_buffer_impl_io_surface.cc
@@ -76,6 +76,12 @@ GpuMemoryBufferImplIOSurface::CreateFromHandle(
     }
     return nullptr;
   }
+  int64_t io_surface_width = IOSurfaceGetWidth(io_surface);
+  int64_t io_surface_height = IOSurfaceGetHeight(io_surface);
+  if (io_surface_width < size.width() || io_surface_height < size.height()) {
+    DLOG(ERROR) << "IOSurface size does not match handle.";
+    return nullptr;
+  }
 
   return base::WrapUnique(new GpuMemoryBufferImplIOSurface(
       handle.id, size, format, std::move(callback), io_surface.release(),