diff options
author | Austin Eng <enga@chromium.org> | 2022-04-25 21:01:40 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-03 20:17:26 +0000 |
commit | fe38b68770525c78b18e0f382c3f20bca3b78b7e (patch) | |
tree | af359745f37c12ecd2b1542b2abc4ecef85e6205 | |
parent | a7ab734011f495d86c1461fbb1fe1bf78d958ea7 (diff) | |
download | qtwebengine-chromium-fe38b68770525c78b18e0f382c3f20bca3b78b7e.tar.gz |
[Backport] CVE-2022-1483: Heap buffer overflow in WebGPU
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3589810:
[M96-LTS] Add bounds check to WebGPUDecoderImpl::DoRequestDevice
(cherry picked from commit bee4701c99cbbbb25c0bd6c5c79a40f63f1b1e47)
Fixed: chromium:1314754
Change-Id: Id23af9cc3df08cca3ce7d627e3761c9a65a2c802
Commit-Queue: Austin Eng <enga@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#991510}
Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
Owners-Override: Achuith Bhandarkar <achuith@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1603}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc b/chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc index 4b033949c11..829052b57ea 100644 --- a/chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc +++ b/chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc @@ -521,10 +521,11 @@ error::Error WebGPUDecoderImpl::InitDawnDevice( uint32_t device_id, uint32_t device_generation, const WGPUDeviceProperties& request_device_properties) { - DCHECK_LE(0, requested_adapter_index); - DCHECK_LT(static_cast<size_t>(requested_adapter_index), - dawn_adapters_.size()); + if (requested_adapter_index < 0 || + static_cast<uint32_t>(requested_adapter_index) >= dawn_adapters_.size()) { + return error::kOutOfBounds; + } dawn_native::DeviceDescriptor device_descriptor; if (request_device_properties.textureCompressionBC) { |