[Backport] Security bug 905509 (6/13)

Manual backport of original patch by Antoine Labour <piman@chromium.org>: Make ClientTransferCache entries use a uint32_t size As they go into transfer buffers, they need to fit within 4GB, so check that at the source. Some places were silently clamping size_t to uint32_t, which could be a theoretical issue. Bug: 905509 Change-Id: Id4a89557eb4147d0cb16097d8f48fb284a6b3d9f Reviewed-on: https://chromium-review.googlesource.com/c/1400046 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Michael Brüning <michael.bruning@qt.io> 2019-03-21 17:48:22 +0100
committer: Michael Brüning <michael.bruning@qt.io> 2019-03-27 16:13:02 +0000
commit: 69b772f1e9a975554ad11d74e11826db1e8b0767 (patch)
tree: b0e19c1af4abcaa505247e5c630f16fb33f4f1f5
parent: 8b01fa3780aa1f9a0cdba6e27df0a8d9451134ca (diff)
download: qtwebengine-chromium-69b772f1e9a975554ad11d74e11826db1e8b0767.tar.gz
16 files changed, 26 insertions, 22 deletions
diff --git a/chromium/cc/paint/color_space_transfer_cache_entry.cc b/chromium/cc/paint/color_space_transfer_cache_entry.cc
index adde3371f4e..31f27438a45 100644
--- a/chromium/cc/paint/color_space_transfer_cache_entry.cc
+++ b/chromium/cc/paint/color_space_transfer_cache_entry.cc
@@ -14,6 +14,7 @@ ClientColorSpaceTransferCacheEntry::ClientColorSpaceTransferCacheEntry(
   DCHECK(raster_color_space.color_space.IsValid());
   IPC::ParamTraits<gfx::ColorSpace>::Write(&pickle_,
                                            raster_color_space.color_space);
+  DCHECK_LE(pickle_.size(), UINT32_MAX);
 }
 
 ClientColorSpaceTransferCacheEntry::~ClientColorSpaceTransferCacheEntry() =
@@ -23,8 +24,8 @@ uint32_t ClientColorSpaceTransferCacheEntry::Id() const {
   return id_;
 }
 
-size_t ClientColorSpaceTransferCacheEntry::SerializedSize() const {
-  return pickle_.size();
+uint32_t ClientColorSpaceTransferCacheEntry::SerializedSize() const {
+  return static_cast<uint32_t>(pickle_.size());
 }
 
 bool ClientColorSpaceTransferCacheEntry::Serialize(
diff --git a/chromium/cc/paint/color_space_transfer_cache_entry.h b/chromium/cc/paint/color_space_transfer_cache_entry.h
index baeeb4ce68d..4923c73c7fc 100644
--- a/chromium/cc/paint/color_space_transfer_cache_entry.h
+++ b/chromium/cc/paint/color_space_transfer_cache_entry.h
@@ -29,7 +29,7 @@ class CC_PAINT_EXPORT ClientColorSpaceTransferCacheEntry final
       const RasterColorSpace& raster_color_space);
   ~ClientColorSpaceTransferCacheEntry() override;
   uint32_t Id() const override;
-  size_t SerializedSize() const override;
+  uint32_t SerializedSize() const override;
   bool Serialize(base::span<uint8_t> data) const final;
 
  private:
diff --git a/chromium/cc/paint/image_transfer_cache_entry.cc b/chromium/cc/paint/image_transfer_cache_entry.cc
index fe63071a29f..555b2b3f50c 100644
--- a/chromium/cc/paint/image_transfer_cache_entry.cc
+++ b/chromium/cc/paint/image_transfer_cache_entry.cc
@@ -69,7 +69,7 @@ ClientImageTransferCacheEntry::ClientImageTransferCacheEntry(
                             : 0u;
 
   // Compute and cache the size of the data.
-  base::CheckedNumeric<size_t> safe_size;
+  base::CheckedNumeric<uint32_t> safe_size;
   safe_size += PaintOpWriter::HeaderBytes();
   safe_size += sizeof(uint32_t);  // color type
   safe_size += sizeof(uint32_t);  // width
@@ -90,7 +90,7 @@ ClientImageTransferCacheEntry::~ClientImageTransferCacheEntry() = default;
 // static
 base::AtomicSequenceNumber ClientImageTransferCacheEntry::s_next_id_;
 
-size_t ClientImageTransferCacheEntry::SerializedSize() const {
+uint32_t ClientImageTransferCacheEntry::SerializedSize() const {
   return size_;
 }
 
diff --git a/chromium/cc/paint/image_transfer_cache_entry.h b/chromium/cc/paint/image_transfer_cache_entry.h
index db31ade3796..faf3dbc78fc 100644
--- a/chromium/cc/paint/image_transfer_cache_entry.h
+++ b/chromium/cc/paint/image_transfer_cache_entry.h
@@ -31,7 +31,7 @@ class CC_PAINT_EXPORT ClientImageTransferCacheEntry
   uint32_t Id() const final;
 
   // ClientTransferCacheEntry implementation:
-  size_t SerializedSize() const final;
+  uint32_t SerializedSize() const final;
   bool Serialize(base::span<uint8_t> data) const final;
 
  private:
@@ -67,7 +67,7 @@ class CC_PAINT_EXPORT ServiceImageTransferCacheEntry
   GrContext* context_;
   sk_sp<SkImage> image_;
   bool has_mips_ = false;
-  size_t size_ = 0;
+  uint32_t size_ = 0;
   bool fits_on_gpu_ = false;
 };
 
diff --git a/chromium/cc/paint/raw_memory_transfer_cache_entry.cc b/chromium/cc/paint/raw_memory_transfer_cache_entry.cc
index 2c41fabd9d9..f2776a36711 100644
--- a/chromium/cc/paint/raw_memory_transfer_cache_entry.cc
+++ b/chromium/cc/paint/raw_memory_transfer_cache_entry.cc
@@ -10,7 +10,10 @@ namespace cc {
 
 ClientRawMemoryTransferCacheEntry::ClientRawMemoryTransferCacheEntry(
     std::vector<uint8_t> data)
-    : id_(s_next_id_.GetNext()), data_(std::move(data)) {}
+    : id_(s_next_id_.GetNext()), data_(std::move(data)) {
+  DCHECK_LE(data_.size(), UINT32_MAX);
+}
+
 ClientRawMemoryTransferCacheEntry::~ClientRawMemoryTransferCacheEntry() =
     default;
 
@@ -39,8 +42,8 @@ ServiceRawMemoryTransferCacheEntry::ServiceRawMemoryTransferCacheEntry() =
 ServiceRawMemoryTransferCacheEntry::~ServiceRawMemoryTransferCacheEntry() =
     default;
 
-size_t ServiceRawMemoryTransferCacheEntry::CachedSize() const {
-  return data_.size();
+uint32_t ClientRawMemoryTransferCacheEntry::SerializedSize() const {
+  return static_cast<uint32_t>(data_.size());
 }
 
 bool ServiceRawMemoryTransferCacheEntry::Deserialize(
diff --git a/chromium/cc/paint/raw_memory_transfer_cache_entry.h b/chromium/cc/paint/raw_memory_transfer_cache_entry.h
index c6ce52af731..2e9aafd490a 100644
--- a/chromium/cc/paint/raw_memory_transfer_cache_entry.h
+++ b/chromium/cc/paint/raw_memory_transfer_cache_entry.h
@@ -22,7 +22,7 @@ class CC_PAINT_EXPORT ClientRawMemoryTransferCacheEntry
   explicit ClientRawMemoryTransferCacheEntry(std::vector<uint8_t> data);
   ~ClientRawMemoryTransferCacheEntry() final;
   uint32_t Id() const final;
-  size_t SerializedSize() const final;
+  uint32_t SerializedSize() const final;
   bool Serialize(base::span<uint8_t> data) const final;
 
  private:
diff --git a/chromium/cc/paint/transfer_cache_entry.h b/chromium/cc/paint/transfer_cache_entry.h
index 474bd970344..d7ee1d6b371 100644
--- a/chromium/cc/paint/transfer_cache_entry.h
+++ b/chromium/cc/paint/transfer_cache_entry.h
@@ -47,7 +47,7 @@ class CC_PAINT_EXPORT ClientTransferCacheEntry {
   // Returns the serialized sized of this entry in bytes. This function will be
   // used to determine how much memory is going to be allocated and passed to
   // the Serialize() call.
-  virtual size_t SerializedSize() const = 0;
+  virtual uint32_t SerializedSize() const = 0;
 
   // Serializes the entry into the given span of memory. The size of the span is
   // guaranteed to be at least SerializedSize() bytes. Returns true on success
diff --git a/chromium/cc/tiles/gpu_image_decode_cache.cc b/chromium/cc/tiles/gpu_image_decode_cache.cc
index 747f1a367a9..bf409ed9685 100644
--- a/chromium/cc/tiles/gpu_image_decode_cache.cc
+++ b/chromium/cc/tiles/gpu_image_decode_cache.cc
@@ -1539,7 +1539,7 @@ void GpuImageDecodeCache::UploadImageIfNecessary(const DrawImage& draw_image,
 
     ClientImageTransferCacheEntry image_entry(&pixmap, target_color_space.get(),
                                               image_data->needs_mips);
-    size_t size = image_entry.SerializedSize();
+    uint32_t size = image_entry.SerializedSize();
     void* data = context_->ContextSupport()->MapTransferCacheEntry(size);
     if (data) {
       bool succeeded = image_entry.Serialize(
diff --git a/chromium/cc/tiles/gpu_image_decode_cache_unittest.cc b/chromium/cc/tiles/gpu_image_decode_cache_unittest.cc
index 5c208a7f605..54b9f9d8ffc 100644
--- a/chromium/cc/tiles/gpu_image_decode_cache_unittest.cc
+++ b/chromium/cc/tiles/gpu_image_decode_cache_unittest.cc
@@ -131,7 +131,7 @@ class FakeGPUImageDecodeTestGLES2Interface : public viz::TestGLES2Interface,
   void CompleteLockDiscardableTexureOnContextThread(
       uint32_t texture_id) override {}
 
-  void* MapTransferCacheEntry(size_t serialized_size) override {
+  void* MapTransferCacheEntry(uint32_t serialized_size) override {
     mapped_entry_size_ = serialized_size;
     mapped_entry_.reset(new uint8_t[serialized_size]);
     return mapped_entry_.get();
diff --git a/chromium/gpu/command_buffer/client/client_transfer_cache.cc b/chromium/gpu/command_buffer/client/client_transfer_cache.cc
index d6309c39b7c..900361973c4 100644
--- a/chromium/gpu/command_buffer/client/client_transfer_cache.cc
+++ b/chromium/gpu/command_buffer/client/client_transfer_cache.cc
@@ -11,7 +11,7 @@ ClientTransferCache::ClientTransferCache(Client* client) : client_(client) {}
 ClientTransferCache::~ClientTransferCache() = default;
 
 void* ClientTransferCache::MapEntry(MappedMemoryManager* mapped_memory,
-                                    size_t size) {
+                                    uint32_t size) {
   DCHECK(!mapped_ptr_);
   mapped_ptr_.emplace(size, client_->cmd_buffer_helper(), mapped_memory);
   if (!mapped_ptr_->valid()) {
diff --git a/chromium/gpu/command_buffer/client/client_transfer_cache.h b/chromium/gpu/command_buffer/client/client_transfer_cache.h
index 315ff8a486f..684c226d86e 100644
--- a/chromium/gpu/command_buffer/client/client_transfer_cache.h
+++ b/chromium/gpu/command_buffer/client/client_transfer_cache.h
@@ -59,7 +59,7 @@ class GLES2_IMPL_EXPORT ClientTransferCache {
   explicit ClientTransferCache(Client* client);
   ~ClientTransferCache();
 
-  void* MapEntry(MappedMemoryManager* mapped_memory, size_t size);
+  void* MapEntry(MappedMemoryManager* mapped_memory, uint32_t size);
   void UnmapAndCreateEntry(uint32_t type, uint32_t id);
   bool LockEntry(uint32_t type, uint32_t id);
   void UnlockEntries(const std::vector<std::pair<uint32_t, uint32_t>>& entries);
diff --git a/chromium/gpu/command_buffer/client/context_support.h b/chromium/gpu/command_buffer/client/context_support.h
index 3e4fed22080..a3438f75d2a 100644
--- a/chromium/gpu/command_buffer/client/context_support.h
+++ b/chromium/gpu/command_buffer/client/context_support.h
@@ -116,7 +116,7 @@ class ContextSupport {
   // Maps a buffer that will receive serialized data for an entry to be created.
   // Returns nullptr on failure. If success, must be paired with a call to
   // UnmapAndCreateTransferCacheEntry.
-  virtual void* MapTransferCacheEntry(size_t serialized_size) = 0;
+  virtual void* MapTransferCacheEntry(uint32_t serialized_size) = 0;
 
   // Unmaps the buffer and creates a transfer cache entry with the serialized
   // data.
diff --git a/chromium/gpu/command_buffer/client/gles2_implementation.cc b/chromium/gpu/command_buffer/client/gles2_implementation.cc
index bb7c2c39cf3..b1c20ac07fc 100644
--- a/chromium/gpu/command_buffer/client/gles2_implementation.cc
+++ b/chromium/gpu/command_buffer/client/gles2_implementation.cc
@@ -6090,7 +6090,7 @@ bool GLES2Implementation::ThreadsafeDiscardableTextureIsDeletedForTracing(
   return manager->TextureIsDeletedForTracing(texture_id);
 }
 
-void* GLES2Implementation::MapTransferCacheEntry(size_t serialized_size) {
+void* GLES2Implementation::MapTransferCacheEntry(uint32_t serialized_size) {
   NOTREACHED();
   return nullptr;
 }
diff --git a/chromium/gpu/command_buffer/client/gles2_implementation.h b/chromium/gpu/command_buffer/client/gles2_implementation.h
index 920276dc588..6e108466561 100644
--- a/chromium/gpu/command_buffer/client/gles2_implementation.h
+++ b/chromium/gpu/command_buffer/client/gles2_implementation.h
@@ -135,7 +135,7 @@ class GLES2_IMPL_EXPORT GLES2Implementation : public GLES2Interface,
       uint32_t texture_id) override;
   bool ThreadsafeDiscardableTextureIsDeletedForTracing(
       uint32_t texture_id) override;
-  void* MapTransferCacheEntry(size_t serialized_size) override;
+  void* MapTransferCacheEntry(uint32_t serialized_size) override;
   void UnmapAndCreateTransferCacheEntry(uint32_t type, uint32_t id) override;
   bool ThreadsafeLockTransferCacheEntry(uint32_t type, uint32_t id) override;
   void UnlockTransferCacheEntries(
diff --git a/chromium/gpu/command_buffer/client/raster_implementation.cc b/chromium/gpu/command_buffer/client/raster_implementation.cc
index 35aa94b8fef..58e11efb3f0 100644
--- a/chromium/gpu/command_buffer/client/raster_implementation.cc
+++ b/chromium/gpu/command_buffer/client/raster_implementation.cc
@@ -101,7 +101,7 @@ class TransferCacheSerializeHelperImpl
   }
 
   void CreateEntryInternal(const cc::ClientTransferCacheEntry& entry) final {
-    size_t size = entry.SerializedSize();
+    uint32_t size = entry.SerializedSize();
     void* data = support_->MapTransferCacheEntry(size);
     if (!data)
       return;
@@ -401,7 +401,7 @@ bool RasterImplementation::ThreadsafeDiscardableTextureIsDeletedForTracing(
   return false;
 }
 
-void* RasterImplementation::MapTransferCacheEntry(size_t serialized_size) {
+void* RasterImplementation::MapTransferCacheEntry(uint32_t serialized_size) {
   return transfer_cache_.MapEntry(mapped_memory_.get(), serialized_size);
 }
 
diff --git a/chromium/gpu/command_buffer/client/raster_implementation.h b/chromium/gpu/command_buffer/client/raster_implementation.h
index 033feb5edc3..5acec409569 100644
--- a/chromium/gpu/command_buffer/client/raster_implementation.h
+++ b/chromium/gpu/command_buffer/client/raster_implementation.h
@@ -150,7 +150,7 @@ class RASTER_EXPORT RasterImplementation : public RasterInterface,
       uint32_t texture_id) override;
   bool ThreadsafeDiscardableTextureIsDeletedForTracing(
       uint32_t texture_id) override;
-  void* MapTransferCacheEntry(size_t serialized_size) override;
+  void* MapTransferCacheEntry(uint32_t serialized_size) override;
   void UnmapAndCreateTransferCacheEntry(uint32_t type, uint32_t id) override;
   bool ThreadsafeLockTransferCacheEntry(uint32_t type, uint32_t id) override;
   void UnlockTransferCacheEntries(
author	Michael Brüning <michael.bruning@qt.io>	2019-03-21 17:48:22 +0100
committer	Michael Brüning <michael.bruning@qt.io>	2019-03-27 16:13:02 +0000
commit	69b772f1e9a975554ad11d74e11826db1e8b0767 (patch)
tree	b0e19c1af4abcaa505247e5c630f16fb33f4f1f5
parent	8b01fa3780aa1f9a0cdba6e27df0a8d9451134ca (diff)
download	qtwebengine-chromium-69b772f1e9a975554ad11d74e11826db1e8b0767.tar.gz