diff options
| author | Alexis Hetu <sugoi@google.com> | 2019-03-08 19:22:48 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-03-28 15:18:52 +0000 |
| commit | 85136fedbde62ecf382362fc82849c8172c67697 (patch) | |
| tree | ab50973312760367a6edd2e69d4796592741c74d | |
| parent | d720564a5baa5a1f9becec0dba8d7c471d0cbfa9 (diff) | |
| download | qtwebengine-chromium-85136fedbde62ecf382362fc82849c8172c67697.tar.gz | |
[Backport] Security Bug 929088
Y and UV planes release mechanism fix
The Y and UV planes weren't getting released properly because the local
variables used in base::RetainBlock() are snapshots of their current
values and do not get updated by subsequent code. In this case,
y_surface and uv_surface would always be at their original value of
EGL_NO_SURFACE and eglReleaseTexImage/eglDestroySurface would never get
called. Using pointers to these values solves the issue, since the
pointers do not get modified by subsequent code and the values can be
checked properly by dereferencing the pointers.
Bug: chromium:932986 chromium:929088
Reviewed-on: https://chromium-review.googlesource.com/c/1483690
Change-Id: Ie437400dd68709da94368f7972868d6d88c18a06
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
| -rw-r--r-- | chromium/ui/gl/gl_image_io_surface_egl.mm | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/chromium/ui/gl/gl_image_io_surface_egl.mm b/chromium/ui/gl/gl_image_io_surface_egl.mm index b637ecc3e61..1a64e23127f 100644 --- a/chromium/ui/gl/gl_image_io_surface_egl.mm +++ b/chromium/ui/gl/gl_image_io_surface_egl.mm @@ -195,21 +195,23 @@ bool GLImageIOSurfaceEGL::CopyTexImage(unsigned target) { EGLSurface y_surface = EGL_NO_SURFACE; EGLSurface uv_surface = EGL_NO_SURFACE; + EGLSurface* y_surface_ptr = &y_surface; + EGLSurface* uv_surface_ptr = &uv_surface; glGetIntegerv(target_getter, &rgb_texture); base::ScopedClosureRunner destroy_resources_runner( base::BindOnce(base::RetainBlock(^{ - if (y_surface != EGL_NO_SURFACE) { + if (*y_surface_ptr != EGL_NO_SURFACE) { EGLBoolean result = - eglReleaseTexImage(display_, y_surface, EGL_BACK_BUFFER); + eglReleaseTexImage(display_, *y_surface_ptr, EGL_BACK_BUFFER); DCHECK(result == EGL_TRUE); - result = eglDestroySurface(display_, y_surface); + result = eglDestroySurface(display_, *y_surface_ptr); DCHECK(result == EGL_TRUE); } - if (uv_surface != EGL_NO_SURFACE) { + if (*uv_surface_ptr != EGL_NO_SURFACE) { EGLBoolean result = - eglReleaseTexImage(display_, uv_surface, EGL_BACK_BUFFER); + eglReleaseTexImage(display_, *uv_surface_ptr, EGL_BACK_BUFFER); DCHECK(result == EGL_TRUE); - result = eglDestroySurface(display_, uv_surface); + result = eglDestroySurface(display_, *uv_surface_ptr); DCHECK(result == EGL_TRUE); } glBindTexture(target, rgb_texture); |