[Backport] Security bug 917707

Backport of original patch by Andrienne Walker <enne@chromium.org>: Fix potential memory overrun in MapRasterCHROMIUM ScopedTransferBufferPtr does an AllocUpTo which may return a valid pointer to memory that is smaller than requested. MapRasterCHROMIUM assumed that if the memory was valid then it was the size that was requested, which is incorrect. This is also a dependency for security bug 905509 (13/13) Bug: 917707 Change-Id: Ifb8f762632e06b7d7a30b428ba35c79445b211e0 Reviewed-on: https://chromium-review.googlesource.com/c/1461757 Reviewed-on: https://chromium-review.googlesource.com/c/1479292 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Michael Brüning <michael.bruning@qt.io> 2019-03-25 11:25:47 +0100
committer: Michael Brüning <michael.bruning@qt.io> 2019-03-27 17:15:34 +0000
commit: 03be3aa656a97db6b47ca1dddcbf1ccdde8f3c04 (patch)
tree: 2c9df8c0c46b2e3faf57b07c5d044479854c72ca
parent: 700a4af1fb50b5b912c8e7b4013d7e3e1f93dfd2 (diff)
download: qtwebengine-chromium-03be3aa656a97db6b47ca1dddcbf1ccdde8f3c04.tar.gz
3 files changed, 13 insertions, 16 deletions
diff --git a/chromium/gpu/command_buffer/client/raster_implementation.cc b/chromium/gpu/command_buffer/client/raster_implementation.cc
index a116bba0aa7..0bbfd8c61e7 100644
--- a/chromium/gpu/command_buffer/client/raster_implementation.cc
+++ b/chromium/gpu/command_buffer/client/raster_implementation.cc
@@ -134,12 +134,12 @@ class PaintOpSerializer {
                     cc::TransferCacheSerializeHelper* transfer_cache_helper,
                     ClientFontManager* font_manager)
       : ri_(ri),
-        buffer_(static_cast<char*>(ri_->MapRasterCHROMIUM(initial_size))),
         stashing_image_provider_(stashing_image_provider),
         transfer_cache_helper_(transfer_cache_helper),
-        font_manager_(font_manager),
-        free_bytes_(buffer_ ? initial_size : 0) {}
-
+        font_manager_(font_manager) {
+    buffer_ =
+        static_cast<char*>(ri_->MapRasterCHROMIUM(initial_size, &free_bytes_));
+  }
   ~PaintOpSerializer() {
     // Need to call SendSerializedData;
     DCHECK(!written_bytes_);
@@ -152,12 +152,11 @@ class PaintOpSerializer {
     size_t size = op->Serialize(buffer_ + written_bytes_, free_bytes_, options);
     if (!size) {
       SendSerializedData();
-      buffer_ = static_cast<char*>(ri_->MapRasterCHROMIUM(kBlockAlloc));
+      buffer_ =
+          static_cast<char*>(ri_->MapRasterCHROMIUM(initial_size, &free_bytes_));
       if (!buffer_) {
-        free_bytes_ = 0;
         return 0;
       }
-      free_bytes_ = kBlockAlloc;
       size = op->Serialize(buffer_ + written_bytes_, free_bytes_, options);
     }
     DCHECK_LE(size, free_bytes_);
@@ -993,7 +992,9 @@ void RasterImplementation::DestroyImageCHROMIUM(GLuint image_id) {
   CheckGLError();
 }
 
-void* RasterImplementation::MapRasterCHROMIUM(GLsizeiptr size) {
+void* RasterImplementation::MapRasterCHROMIUM(uint32_t size,
+                                              uint32_t* size_allocated) {
+  *size_allocated = 0u;
   if (size < 0) {
     SetGLError(GL_INVALID_VALUE, "glMapRasterCHROMIUM", "negative size");
     return nullptr;
@@ -1008,6 +1009,7 @@ void* RasterImplementation::MapRasterCHROMIUM(GLsizeiptr size) {
     raster_mapped_buffer_ = base::nullopt;
     return nullptr;
   }
+  *size_allocated = raster_mapped_buffer_->size();
   return raster_mapped_buffer_->address();
 }
 
diff --git a/chromium/gpu/command_buffer/client/raster_implementation.h b/chromium/gpu/command_buffer/client/raster_implementation.h
index 336599a6c69..23cb707d9d0 100644
--- a/chromium/gpu/command_buffer/client/raster_implementation.h
+++ b/chromium/gpu/command_buffer/client/raster_implementation.h
@@ -163,7 +163,9 @@ class RASTER_EXPORT RasterImplementation : public RasterInterface,
                                  GLenum pname,
                                  GLuint64* params);
 
-  void* MapRasterCHROMIUM(GLsizeiptr size);
+  // Try to map a transfer buffer of |size|.  Will return a pointer to a
+  // buffer of |size_allocated|, which will be equal to or lesser than |size|.
+  void* MapRasterCHROMIUM(uint32_t size, uint32_t* size_allocated);
   void UnmapRasterCHROMIUM(uint32_t written_size);
 
   // ClientFontManager::Client implementation.
diff --git a/chromium/gpu/command_buffer/client/raster_implementation_unittest.cc b/chromium/gpu/command_buffer/client/raster_implementation_unittest.cc
index d2de7d0fa0c..0e1690dcccb 100644
--- a/chromium/gpu/command_buffer/client/raster_implementation_unittest.cc
+++ b/chromium/gpu/command_buffer/client/raster_implementation_unittest.cc
@@ -200,13 +200,6 @@ class RasterImplementationTest : public testing::Test {
 
   QueryTracker* GetQueryTracker() { return gl_->query_tracker_.get(); }
 
-  void* MapRasterCHROMIUM(GLsizeiptr size) {
-    return gl_->MapRasterCHROMIUM(size);
-  }
-  void UnmapRasterCHROMIUM(GLsizeiptr written_size) {
-    gl_->UnmapRasterCHROMIUM(written_size);
-  }
-
   struct ContextInitOptions {
     ContextInitOptions()
         : bind_generates_resource_client(true),
author	Michael Brüning <michael.bruning@qt.io>	2019-03-25 11:25:47 +0100
committer	Michael Brüning <michael.bruning@qt.io>	2019-03-27 17:15:34 +0000
commit	03be3aa656a97db6b47ca1dddcbf1ccdde8f3c04 (patch)
tree	2c9df8c0c46b2e3faf57b07c5d044479854c72ca
parent	700a4af1fb50b5b912c8e7b4013d7e3e1f93dfd2 (diff)
download	qtwebengine-chromium-03be3aa656a97db6b47ca1dddcbf1ccdde8f3c04.tar.gz