[Backport] Security bug 905509 (2/13)

Backport of original patch by Antoine Labour <piman@chromium.org>: Have CommandBuffer::CreateTransferBuffer take a uint32_t instead of size_t Because client and service may be of different bitness, offsets in command buffers have to fit in a uint32_t, effectively limiting transfer buffers to 4GB. Make this clear in CommandBuffer::CreateTransferBuffer by taking a uin32_t instead of a size_t (fixing callers as appropriate), avoiding potential security issues with silent clamping. Bug: 905509 Change-Id: Ia027ba0db2214c1b4e02432d51db734b3e5bf287 Reviewed-on: https://chromium-review.googlesource.com/c/1396132 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Michael Brüning <michael.bruning@qt.io> 2019-03-21 11:41:26 +0100
committer: Michael Brüning <michael.bruning@qt.io> 2019-03-27 16:12:34 +0000
commit: 94f1317917fab94923e246016ec9f42913298065 (patch)
tree: 91e549b3aecd8756300b63785fef69ddbfbdc74d
parent: f7fcbe5387154c1c8b793779432db213c0dab024 (diff)
download: qtwebengine-chromium-94f1317917fab94923e246016ec9f42913298065.tar.gz
26 files changed, 62 insertions, 60 deletions
diff --git a/chromium/gpu/command_buffer/client/buffer_tracker_unittest.cc b/chromium/gpu/command_buffer/client/buffer_tracker_unittest.cc
index c01197ee33a..f2599aaca16 100644
--- a/chromium/gpu/command_buffer/client/buffer_tracker_unittest.cc
+++ b/chromium/gpu/command_buffer/client/buffer_tracker_unittest.cc
@@ -30,7 +30,7 @@ class MockClientCommandBufferImpl : public MockClientCommandBuffer {
         context_lost_(false) {}
   ~MockClientCommandBufferImpl() override = default;
 
-  scoped_refptr<gpu::Buffer> CreateTransferBuffer(size_t size,
+  scoped_refptr<gpu::Buffer> CreateTransferBuffer(uint32_t size,
                                                   int32_t* id) override {
     if (context_lost_) {
       *id = -1;
diff --git a/chromium/gpu/command_buffer/client/client_discardable_manager.cc b/chromium/gpu/command_buffer/client/client_discardable_manager.cc
index 61794ed7b6d..04ed4756cef 100644
--- a/chromium/gpu/command_buffer/client/client_discardable_manager.cc
+++ b/chromium/gpu/command_buffer/client/client_discardable_manager.cc
@@ -5,6 +5,7 @@
 #include "gpu/command_buffer/client/client_discardable_manager.h"
 
 #include "base/containers/flat_set.h"
+#include "base/numerics/checked_math.h"
 #include "base/sys_info.h"
 
 namespace gpu {
@@ -107,17 +108,17 @@ void FreeOffsetSet::ReturnFreeOffset(uint32_t offset) {
 // Returns the size of the allocation which ClientDiscardableManager will
 // sub-allocate from. This should be at least as big as the minimum shared
 // memory allocation size.
-size_t AllocationSize() {
+uint32_t AllocationSize() {
 #if defined(OS_NACL)
   // base::SysInfo isn't available under NaCl.
-  size_t allocation_size = getpagesize();
+  size_t system_allocation_size = getpagesize();
 #else
-  size_t allocation_size = base::SysInfo::VMAllocationGranularity();
+  size_t system_allocation_size = base::SysInfo::VMAllocationGranularity();
 #endif
+  DCHECK(base::CheckedNumeric<uint32_t>(system_allocation_size).IsValid());
 
   // If the allocation is small (less than 2K), round it up to at least 2K.
-  allocation_size = std::max(static_cast<size_t>(2048), allocation_size);
-  return allocation_size;
+  return std::max(2048u, static_cast<uint32_t>(system_allocation_size));
 }
 
 }  // namespace
diff --git a/chromium/gpu/command_buffer/client/client_discardable_manager.h b/chromium/gpu/command_buffer/client/client_discardable_manager.h
index d5f3ece26e5..47a7ba1b5bb 100644
--- a/chromium/gpu/command_buffer/client/client_discardable_manager.h
+++ b/chromium/gpu/command_buffer/client/client_discardable_manager.h
@@ -50,10 +50,9 @@ class GPU_EXPORT ClientDiscardableManager {
   void CheckPending(CommandBuffer* command_buffer);
 
  private:
-  size_t allocation_size_;
+  uint32_t allocation_size_;
   size_t element_size_ = sizeof(base::subtle::Atomic32);
-  uint32_t elements_per_allocation_ =
-      static_cast<uint32_t>(allocation_size_ / element_size_);
+  uint32_t elements_per_allocation_ = allocation_size_ / element_size_;
 
   struct Allocation;
   std::vector<std::unique_ptr<Allocation>> allocations_;
diff --git a/chromium/gpu/command_buffer/client/client_discardable_manager_unittest.cc b/chromium/gpu/command_buffer/client/client_discardable_manager_unittest.cc
index d04570b62a3..68f7c57c569 100644
--- a/chromium/gpu/command_buffer/client/client_discardable_manager_unittest.cc
+++ b/chromium/gpu/command_buffer/client/client_discardable_manager_unittest.cc
@@ -31,16 +31,12 @@ class FakeCommandBuffer : public CommandBuffer {
     return State();
   }
   void SetGetBuffer(int32_t transfer_buffer_id) override { NOTREACHED(); }
-  scoped_refptr<gpu::Buffer> CreateTransferBuffer(size_t size,
+  scoped_refptr<gpu::Buffer> CreateTransferBuffer(uint32_t size,
                                                   int32_t* id) override {
     EXPECT_GE(size, 2048u);
     *id = next_id_++;
     active_ids_.insert(*id);
-    base::UnsafeSharedMemoryRegion shmem_region =
-        base::UnsafeSharedMemoryRegion::Create(size);
-    base::WritableSharedMemoryMapping shmem_mapping = shmem_region.Map();
-    return MakeBufferFromSharedMemory(std::move(shmem_region),
-                                      std::move(shmem_mapping));
+    return MakeMemoryBuffer(size);
   }
   void DestroyTransferBuffer(int32_t id) override {
     auto found = active_ids_.find(id);
diff --git a/chromium/gpu/command_buffer/client/client_test_helper.cc b/chromium/gpu/command_buffer/client/client_test_helper.cc
index c9ef1e92f9e..1b0003ed8ad 100644
--- a/chromium/gpu/command_buffer/client/client_test_helper.cc
+++ b/chromium/gpu/command_buffer/client/client_test_helper.cc
@@ -51,7 +51,7 @@ void FakeCommandBufferServiceBase::SetGetBufferHelper(int transfer_buffer_id,
 }
 
 scoped_refptr<gpu::Buffer>
-FakeCommandBufferServiceBase::CreateTransferBufferHelper(size_t size,
+FakeCommandBufferServiceBase::CreateTransferBufferHelper(uint32_t size,
                                                          int32_t* id) {
   *id = GetNextFreeTransferBufferId();
   if (*id >= 0) {
@@ -138,7 +138,7 @@ void MockClientCommandBuffer::SetGetBuffer(int transfer_buffer_id) {
 }
 
 scoped_refptr<gpu::Buffer> MockClientCommandBuffer::CreateTransferBuffer(
-    size_t size,
+    uint32_t size,
     int32_t* id) {
   return CreateTransferBufferHelper(size, id);
 }
diff --git a/chromium/gpu/command_buffer/client/cmd_buffer_helper.cc b/chromium/gpu/command_buffer/client/cmd_buffer_helper.cc
index 8d95a8053b2..5a764e48d45 100644
--- a/chromium/gpu/command_buffer/client/cmd_buffer_helper.cc
+++ b/chromium/gpu/command_buffer/client/cmd_buffer_helper.cc
@@ -133,7 +133,7 @@ void CommandBufferHelper::FreeRingBuffer() {
   }
 }
 
-gpu::ContextResult CommandBufferHelper::Initialize(int32_t ring_buffer_size) {
+gpu::ContextResult CommandBufferHelper::Initialize(uint32_t ring_buffer_size) {
   ring_buffer_size_ = ring_buffer_size;
   if (!AllocateRingBuffer()) {
     // This would fail if CreateTransferBuffer fails, which will not fail for
diff --git a/chromium/gpu/command_buffer/client/cmd_buffer_helper.h b/chromium/gpu/command_buffer/client/cmd_buffer_helper.h
index fe17cceef7e..36cba0ed765 100644
--- a/chromium/gpu/command_buffer/client/cmd_buffer_helper.h
+++ b/chromium/gpu/command_buffer/client/cmd_buffer_helper.h
@@ -61,7 +61,7 @@ class GPU_EXPORT CommandBufferHelper
   // Parameters:
   //   ring_buffer_size: The size of the ring buffer portion of the command
   //       buffer.
-  gpu::ContextResult Initialize(int32_t ring_buffer_size);
+  gpu::ContextResult Initialize(uint32_t ring_buffer_size);
 
   // Sets whether the command buffer should automatically flush periodically
   // to try to increase performance. Defaults to true.
@@ -295,7 +295,7 @@ class GPU_EXPORT CommandBufferHelper
 
   CommandBuffer* const command_buffer_;
   int32_t ring_buffer_id_ = -1;
-  int32_t ring_buffer_size_ = 0;
+  uint32_t ring_buffer_size_ = 0;
   scoped_refptr<gpu::Buffer> ring_buffer_;
   CommandBufferEntry* entries_ = nullptr;
   int32_t total_entry_count_ = 0;  // the total number of entries
diff --git a/chromium/gpu/command_buffer/client/command_buffer_direct_locked.cc b/chromium/gpu/command_buffer/client/command_buffer_direct_locked.cc
index f51210e97b0..1d47fd24d10 100644
--- a/chromium/gpu/command_buffer/client/command_buffer_direct_locked.cc
+++ b/chromium/gpu/command_buffer/client/command_buffer_direct_locked.cc
@@ -42,7 +42,7 @@ CommandBuffer::State CommandBufferDirectLocked::WaitForGetOffsetInRange(
 }
 
 scoped_refptr<Buffer> CommandBufferDirectLocked::CreateTransferBuffer(
-    size_t size,
+    uint32_t size,
     int32_t* id) {
   if (fail_create_transfer_buffer_) {
     *id = -1;
diff --git a/chromium/gpu/command_buffer/client/command_buffer_direct_locked.h b/chromium/gpu/command_buffer/client/command_buffer_direct_locked.h
index 0d55f1186b0..8af342d22a1 100644
--- a/chromium/gpu/command_buffer/client/command_buffer_direct_locked.h
+++ b/chromium/gpu/command_buffer/client/command_buffer_direct_locked.h
@@ -24,7 +24,7 @@ class CommandBufferDirectLocked : public CommandBufferDirect {
   CommandBuffer::State WaitForGetOffsetInRange(uint32_t set_get_buffer_count,
                                                int32_t start,
                                                int32_t end) override;
-  scoped_refptr<Buffer> CreateTransferBuffer(size_t size, int32_t* id) override;
+  scoped_refptr<Buffer> CreateTransferBuffer(uint32_t size, int32_t* id) override;
 
   void LockFlush() { flush_locked_ = true; }
 
diff --git a/chromium/gpu/command_buffer/client/mapped_memory.cc b/chromium/gpu/command_buffer/client/mapped_memory.cc
index 47e4c5aa233..34580415bce 100644
--- a/chromium/gpu/command_buffer/client/mapped_memory.cc
+++ b/chromium/gpu/command_buffer/client/mapped_memory.cc
@@ -13,6 +13,7 @@
 #include "base/atomic_sequence_num.h"
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
+#include "base/numerics/checked_math.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/strings/stringprintf.h"
 #include "base/threading/thread_task_runner_handle.h"
@@ -105,12 +106,15 @@ void* MappedMemoryManager::Alloc(unsigned int size,
 
   // Make a new chunk to satisfy the request.
   CommandBuffer* cmd_buf = helper_->command_buffer();
-  unsigned int chunk_size =
-      ((size + chunk_size_multiple_ - 1) / chunk_size_multiple_) *
-      chunk_size_multiple_;
+  base::CheckedNumeric<uint32_t> chunk_size = size;
+  chunk_size = (size + chunk_size_multiple_ - 1) & ~(chunk_size_multiple_ - 1);
+  uint32_t safe_chunk_size = 0;
+  if (!chunk_size.AssignIfValid(&safe_chunk_size))
+    return nullptr;
+
   int32_t id = -1;
   scoped_refptr<gpu::Buffer> shm =
-      cmd_buf->CreateTransferBuffer(chunk_size, &id);
+      cmd_buf->CreateTransferBuffer(safe_chunk_size, &id);
   if (id  < 0)
     return NULL;
   DCHECK(shm.get());
diff --git a/chromium/gpu/command_buffer/client/mapped_memory.h b/chromium/gpu/command_buffer/client/mapped_memory.h
index c23e60259d3..ee5f50a5504 100644
--- a/chromium/gpu/command_buffer/client/mapped_memory.h
+++ b/chromium/gpu/command_buffer/client/mapped_memory.h
@@ -11,6 +11,7 @@
 #include <memory>
 
 #include "base/bind.h"
+#include "base/bits.h"
 #include "base/macros.h"
 #include "base/trace_event/memory_dump_provider.h"
 #include "gpu/command_buffer/client/fenced_allocator.h"
@@ -144,7 +145,8 @@ class GPU_EXPORT MappedMemoryManager {
   }
 
   void set_chunk_size_multiple(unsigned int multiple) {
-    DCHECK(multiple % FencedAllocator::kAllocAlignment == 0);
+    DCHECK(base::bits::IsPowerOfTwo(multiple));
+    DCHECK_GE(multiple, FencedAllocator::kAllocAlignment);
     chunk_size_multiple_ = multiple;
   }
 
diff --git a/chromium/gpu/command_buffer/client/mock_transfer_buffer.cc b/chromium/gpu/command_buffer/client/mock_transfer_buffer.cc
index c3a48702980..fda3d58b3e1 100644
--- a/chromium/gpu/command_buffer/client/mock_transfer_buffer.cc
+++ b/chromium/gpu/command_buffer/client/mock_transfer_buffer.cc
@@ -79,7 +79,7 @@ void* MockTransferBuffer::AllocUpTo(unsigned int size,
   // reallocated.
   actual_buffer_index_ = (actual_buffer_index_ + 1) % kNumBuffers;
 
-  size = std::min(static_cast<size_t>(size), MaxTransferBufferSize());
+  size = std::min(size, MaxTransferBufferSize());
   if (actual_offset_ + size > size_) {
     actual_offset_ = result_size_;
   }
@@ -129,7 +129,7 @@ unsigned int MockTransferBuffer::GetFragmentedFreeSize() const {
 
 void MockTransferBuffer::ShrinkLastBlock(unsigned int new_size) {}
 
-size_t MockTransferBuffer::MaxTransferBufferSize() {
+uint32_t MockTransferBuffer::MaxTransferBufferSize() {
   return size_ - result_size_;
 }
 
@@ -143,7 +143,7 @@ bool MockTransferBuffer::InSync() {
 }
 
 MockTransferBuffer::ExpectedMemoryInfo MockTransferBuffer::GetExpectedMemory(
-    size_t size) {
+    uint32_t size) {
   ExpectedMemoryInfo mem;
   mem.offset = AllocateExpectedTransferBuffer(size);
   mem.id = GetExpectedTransferBufferId();
@@ -153,7 +153,7 @@ MockTransferBuffer::ExpectedMemoryInfo MockTransferBuffer::GetExpectedMemory(
 }
 
 MockTransferBuffer::ExpectedMemoryInfo
-MockTransferBuffer::GetExpectedResultMemory(size_t size) {
+MockTransferBuffer::GetExpectedResultMemory(uint32_t size) {
   ExpectedMemoryInfo mem;
   mem.offset = GetExpectedResultBufferOffset();
   mem.id = GetExpectedResultBufferId();
@@ -162,7 +162,7 @@ MockTransferBuffer::GetExpectedResultMemory(size_t size) {
   return mem;
 }
 
-uint32_t MockTransferBuffer::AllocateExpectedTransferBuffer(size_t size) {
+uint32_t MockTransferBuffer::AllocateExpectedTransferBuffer(uint32_t size) {
   EXPECT_LE(size, MaxTransferBufferSize());
 
   // Toggle which buffer we get each time to simulate the buffer being
@@ -180,7 +180,7 @@ uint32_t MockTransferBuffer::AllocateExpectedTransferBuffer(size_t size) {
 }
 
 void* MockTransferBuffer::GetExpectedTransferAddressFromOffset(uint32_t offset,
-                                                               size_t size) {
+                                                               uint32_t size) {
   EXPECT_GE(offset, expected_buffer_index_ * alignment_);
   EXPECT_LE(offset + size, size_ + expected_buffer_index_ * alignment_);
   return expected_buffer() + offset;
diff --git a/chromium/gpu/command_buffer/client/mock_transfer_buffer.h b/chromium/gpu/command_buffer/client/mock_transfer_buffer.h
index 06b97a7838e..19aa83cf020 100644
--- a/chromium/gpu/command_buffer/client/mock_transfer_buffer.h
+++ b/chromium/gpu/command_buffer/client/mock_transfer_buffer.h
@@ -50,11 +50,11 @@ class MockTransferBuffer : public TransferBufferInterface {
   unsigned int GetFragmentedFreeSize() const override;
   void ShrinkLastBlock(unsigned int new_size) override;
 
-  size_t MaxTransferBufferSize();
+  uint32_t MaxTransferBufferSize();
   unsigned int RoundToAlignment(unsigned int size);
   bool InSync();
-  ExpectedMemoryInfo GetExpectedMemory(size_t size);
-  ExpectedMemoryInfo GetExpectedResultMemory(size_t size);
+  ExpectedMemoryInfo GetExpectedMemory(uint32_t size);
+  ExpectedMemoryInfo GetExpectedResultMemory(uint32_t size);
 
  private:
   static const int kNumBuffers = 2;
@@ -67,15 +67,15 @@ class MockTransferBuffer : public TransferBufferInterface {
     return static_cast<uint8_t*>(buffers_[expected_buffer_index_]->memory());
   }
 
-  uint32_t AllocateExpectedTransferBuffer(size_t size);
-  void* GetExpectedTransferAddressFromOffset(uint32_t offset, size_t size);
+  uint32_t AllocateExpectedTransferBuffer(uint32_t size);
+  void* GetExpectedTransferAddressFromOffset(uint32_t offset, uint32_t size);
   int GetExpectedResultBufferId();
   uint32_t GetExpectedResultBufferOffset();
   int GetExpectedTransferBufferId();
 
   CommandBuffer* command_buffer_;
-  size_t size_;
-  size_t result_size_;
+  uint32_t size_;
+  uint32_t result_size_;
   uint32_t alignment_;
   int buffer_ids_[kNumBuffers];
   scoped_refptr<Buffer> buffers_[kNumBuffers];
diff --git a/chromium/gpu/command_buffer/client/shared_memory_limits.h b/chromium/gpu/command_buffer/client/shared_memory_limits.h
index fb1bb0a8303..7216cce64af 100644
--- a/chromium/gpu/command_buffer/client/shared_memory_limits.h
+++ b/chromium/gpu/command_buffer/client/shared_memory_limits.h
@@ -35,7 +35,7 @@ struct SharedMemoryLimits {
 #endif
   }
 
-  int32_t command_buffer_size = 1024 * 1024;
+  uint32_t command_buffer_size = 1024 * 1024;
   uint32_t start_transfer_buffer_size = 64 * 1024;
   uint32_t min_transfer_buffer_size = 64 * 1024;
   uint32_t max_transfer_buffer_size = 16 * 1024 * 1024;
diff --git a/chromium/gpu/command_buffer/client/transfer_buffer_unittest.cc b/chromium/gpu/command_buffer/client/transfer_buffer_unittest.cc
index 04f1ad8db86..ffad03c89ef 100644
--- a/chromium/gpu/command_buffer/client/transfer_buffer_unittest.cc
+++ b/chromium/gpu/command_buffer/client/transfer_buffer_unittest.cc
@@ -230,9 +230,9 @@ class MockClientCommandBufferCanFail : public MockClientCommandBufferMockFlush {
   ~MockClientCommandBufferCanFail() override = default;
 
   MOCK_METHOD2(CreateTransferBuffer,
-               scoped_refptr<Buffer>(size_t size, int32_t* id));
+               scoped_refptr<Buffer>(uint32_t size, int32_t* id));
 
-  scoped_refptr<gpu::Buffer> RealCreateTransferBuffer(size_t size,
+  scoped_refptr<gpu::Buffer> RealCreateTransferBuffer(uint32_t size,
                                                       int32_t* id) {
     return MockClientCommandBufferMockFlush::CreateTransferBuffer(size, id);
   }
diff --git a/chromium/gpu/command_buffer/common/command_buffer.h b/chromium/gpu/command_buffer/common/command_buffer.h
index a99e0bad2a9..68433bb2ece 100644
--- a/chromium/gpu/command_buffer/common/command_buffer.h
+++ b/chromium/gpu/command_buffer/common/command_buffer.h
@@ -110,7 +110,7 @@ class GPU_EXPORT CommandBuffer {
 
   // Create a transfer buffer of the given size. Returns its ID or -1 on
   // error.
-  virtual scoped_refptr<gpu::Buffer> CreateTransferBuffer(size_t size,
+  virtual scoped_refptr<gpu::Buffer> CreateTransferBuffer(uint32_t size,
                                                           int32_t* id) = 0;
 
   // Destroy a transfer buffer. The ID must be positive.
diff --git a/chromium/gpu/command_buffer/service/command_buffer_direct.cc b/chromium/gpu/command_buffer/service/command_buffer_direct.cc
index 8c7f8616f63..41c7fe26d12 100644
--- a/chromium/gpu/command_buffer/service/command_buffer_direct.cc
+++ b/chromium/gpu/command_buffer/service/command_buffer_direct.cc
@@ -112,7 +112,7 @@ void CommandBufferDirect::SetGetBuffer(int32_t transfer_buffer_id) {
   service_.SetGetBuffer(transfer_buffer_id);
 }
 
-scoped_refptr<Buffer> CommandBufferDirect::CreateTransferBuffer(size_t size,
+scoped_refptr<Buffer> CommandBufferDirect::CreateTransferBuffer(uint32_t size,
                                                                 int32_t* id) {
   return service_.CreateTransferBuffer(size, id);
 }
@@ -188,7 +188,7 @@ void CommandBufferDirect::SignalSyncToken(const gpu::SyncToken& sync_token,
 }
 
 scoped_refptr<Buffer> CommandBufferDirect::CreateTransferBufferWithId(
-    size_t size,
+    uint32_t size,
     int32_t id) {
   return service_.CreateTransferBufferWithId(size, id);
 }
diff --git a/chromium/gpu/command_buffer/service/command_buffer_direct.h b/chromium/gpu/command_buffer/service/command_buffer_direct.h
index 7897b08e1ed..42ad568242f 100644
--- a/chromium/gpu/command_buffer/service/command_buffer_direct.h
+++ b/chromium/gpu/command_buffer/service/command_buffer_direct.h
@@ -45,7 +45,8 @@ class GPU_EXPORT CommandBufferDirect : public CommandBuffer,
                                                int32_t start,
                                                int32_t end) override;
   void SetGetBuffer(int32_t transfer_buffer_id) override;
-  scoped_refptr<Buffer> CreateTransferBuffer(size_t size, int32_t* id) override;
+  scoped_refptr<Buffer> CreateTransferBuffer(uint32_t size,
+                                             int32_t* id) override;
   void DestroyTransferBuffer(int32_t id) override;
 
   // CommandBufferServiceBase implementation:
@@ -69,7 +70,7 @@ class GPU_EXPORT CommandBufferDirect : public CommandBuffer,
   void SignalSyncToken(const gpu::SyncToken& sync_token,
                        base::OnceClosure callback);
 
-  scoped_refptr<Buffer> CreateTransferBufferWithId(size_t size, int32_t id);
+  scoped_refptr<Buffer> CreateTransferBufferWithId(uint32_t size, int32_t id);
 
   void SetGetOffsetForTest(int32_t get_offset) {
     service_.SetGetOffsetForTest(get_offset);
diff --git a/chromium/gpu/command_buffer/service/command_buffer_service.cc b/chromium/gpu/command_buffer/service/command_buffer_service.cc
index 453e59d1dac..aa2f6aae3d3 100644
--- a/chromium/gpu/command_buffer/service/command_buffer_service.cc
+++ b/chromium/gpu/command_buffer/service/command_buffer_service.cc
@@ -163,7 +163,7 @@ void CommandBufferService::SetReleaseCount(uint64_t release_count) {
   UpdateState();
 }
 
-scoped_refptr<Buffer> CommandBufferService::CreateTransferBuffer(size_t size,
+scoped_refptr<Buffer> CommandBufferService::CreateTransferBuffer(uint32_t size,
                                                                  int32_t* id) {
   static int32_t next_id = 1;
   *id = next_id++;
@@ -189,7 +189,7 @@ bool CommandBufferService::RegisterTransferBuffer(
 }
 
 scoped_refptr<Buffer> CommandBufferService::CreateTransferBufferWithId(
-    size_t size,
+    uint32_t size,
     int32_t id) {
   if (!RegisterTransferBuffer(id,
                               std::make_unique<MemoryBufferBacking>(size))) {
diff --git a/chromium/gpu/command_buffer/service/command_buffer_service.h b/chromium/gpu/command_buffer/service/command_buffer_service.h
index 8028d0e3186..d23d3d938ab 100644
--- a/chromium/gpu/command_buffer/service/command_buffer_service.h
+++ b/chromium/gpu/command_buffer/service/command_buffer_service.h
@@ -107,10 +107,10 @@ class GPU_EXPORT CommandBufferService : public CommandBufferServiceBase {
 
   // Creates an in-process transfer buffer and register it with a newly created
   // id.
-  scoped_refptr<Buffer> CreateTransferBuffer(size_t size, int32_t* id);
+  scoped_refptr<Buffer> CreateTransferBuffer(uint32_t size, int32_t* id);
 
   // Creates an in-process transfer buffer and register it with a given id.
-  scoped_refptr<Buffer> CreateTransferBufferWithId(size_t size, int32_t id);
+  scoped_refptr<Buffer> CreateTransferBufferWithId(uint32_t size, int32_t id);
 
   // Sets whether commands should be processed by this scheduler. Setting to
   // false unschedules. Setting to true reschedules.
diff --git a/chromium/gpu/ipc/client/command_buffer_proxy_impl.cc b/chromium/gpu/ipc/client/command_buffer_proxy_impl.cc
index fe6c4266a77..3685d92ddf1 100644
--- a/chromium/gpu/ipc/client/command_buffer_proxy_impl.cc
+++ b/chromium/gpu/ipc/client/command_buffer_proxy_impl.cc
@@ -366,7 +366,7 @@ void CommandBufferProxyImpl::SetGetBuffer(int32_t shm_id) {
 }
 
 scoped_refptr<gpu::Buffer> CommandBufferProxyImpl::CreateTransferBuffer(
-    size_t size,
+    uint32_t size,
     int32_t* id) {
   CheckLock();
   base::AutoLock lock(last_state_lock_);
diff --git a/chromium/gpu/ipc/client/command_buffer_proxy_impl.h b/chromium/gpu/ipc/client/command_buffer_proxy_impl.h
index 8346bee7990..cc5daba1e1a 100644
--- a/chromium/gpu/ipc/client/command_buffer_proxy_impl.h
+++ b/chromium/gpu/ipc/client/command_buffer_proxy_impl.h
@@ -102,7 +102,7 @@ class GPU_EXPORT CommandBufferProxyImpl : public gpu::CommandBuffer,
                                 int32_t start,
                                 int32_t end) override;
   void SetGetBuffer(int32_t shm_id) override;
-  scoped_refptr<gpu::Buffer> CreateTransferBuffer(size_t size,
+  scoped_refptr<gpu::Buffer> CreateTransferBuffer(uint32_t size,
                                                   int32_t* id) override;
   void DestroyTransferBuffer(int32_t id) override;
 
diff --git a/chromium/gpu/ipc/in_process_command_buffer.cc b/chromium/gpu/ipc/in_process_command_buffer.cc
index fff92806ab7..9c5f679270c 100644
--- a/chromium/gpu/ipc/in_process_command_buffer.cc
+++ b/chromium/gpu/ipc/in_process_command_buffer.cc
@@ -799,7 +799,7 @@ void InProcessCommandBuffer::SetGetBufferOnGpuThread(
 }
 
 scoped_refptr<Buffer> InProcessCommandBuffer::CreateTransferBuffer(
-    size_t size,
+    uint32_t size,
     int32_t* id) {
   CheckSequencedThread();
   base::AutoLock lock(command_buffer_lock_);
diff --git a/chromium/gpu/ipc/in_process_command_buffer.h b/chromium/gpu/ipc/in_process_command_buffer.h
index fcc35e4c9ef..37dea3b8d81 100644
--- a/chromium/gpu/ipc/in_process_command_buffer.h
+++ b/chromium/gpu/ipc/in_process_command_buffer.h
@@ -106,7 +106,7 @@ class GL_IN_PROCESS_CONTEXT_EXPORT InProcessCommandBuffer
                                 int32_t start,
                                 int32_t end) override;
   void SetGetBuffer(int32_t shm_id) override;
-  scoped_refptr<Buffer> CreateTransferBuffer(size_t size, int32_t* id) override;
+  scoped_refptr<Buffer> CreateTransferBuffer(uint32_t size, int32_t* id) override;
   void DestroyTransferBuffer(int32_t id) override;
 
   // GpuControl implementation:
diff --git a/chromium/ppapi/proxy/ppapi_command_buffer_proxy.cc b/chromium/ppapi/proxy/ppapi_command_buffer_proxy.cc
index 90f4147bd1f..be9abe8def3 100644
--- a/chromium/ppapi/proxy/ppapi_command_buffer_proxy.cc
+++ b/chromium/ppapi/proxy/ppapi_command_buffer_proxy.cc
@@ -117,7 +117,7 @@ void PpapiCommandBufferProxy::SetGetBuffer(int32_t transfer_buffer_id) {
 }
 
 scoped_refptr<gpu::Buffer> PpapiCommandBufferProxy::CreateTransferBuffer(
-    size_t size,
+    uint32_t size,
     int32_t* id) {
   *id = -1;
 
@@ -129,8 +129,7 @@ scoped_refptr<gpu::Buffer> PpapiCommandBufferProxy::CreateTransferBuffer(
   ppapi::proxy::SerializedHandle handle(
       ppapi::proxy::SerializedHandle::SHARED_MEMORY_REGION);
   if (!Send(new PpapiHostMsg_PPBGraphics3D_CreateTransferBuffer(
-          ppapi::API_ID_PPB_GRAPHICS_3D, resource_,
-          base::checked_cast<uint32_t>(size), id, &handle))) {
+          ppapi::API_ID_PPB_GRAPHICS_3D, resource_, size, id, &handle))) {
     if (last_state_.error == gpu::error::kNoError)
       last_state_.error = gpu::error::kLostContext;
     return NULL;
diff --git a/chromium/ppapi/proxy/ppapi_command_buffer_proxy.h b/chromium/ppapi/proxy/ppapi_command_buffer_proxy.h
index 28588f265af..c3ce83046e6 100644
--- a/chromium/ppapi/proxy/ppapi_command_buffer_proxy.h
+++ b/chromium/ppapi/proxy/ppapi_command_buffer_proxy.h
@@ -50,7 +50,7 @@ class PPAPI_PROXY_EXPORT PpapiCommandBufferProxy : public gpu::CommandBuffer,
                                 int32_t start,
                                 int32_t end) override;
   void SetGetBuffer(int32_t transfer_buffer_id) override;
-  scoped_refptr<gpu::Buffer> CreateTransferBuffer(size_t size,
+  scoped_refptr<gpu::Buffer> CreateTransferBuffer(uint32_t size,
                                                   int32_t* id) override;
   void DestroyTransferBuffer(int32_t id) override;
author	Michael Brüning <michael.bruning@qt.io>	2019-03-21 11:41:26 +0100
committer	Michael Brüning <michael.bruning@qt.io>	2019-03-27 16:12:34 +0000
commit	94f1317917fab94923e246016ec9f42913298065 (patch)
tree	91e549b3aecd8756300b63785fef69ddbfbdc74d
parent	f7fcbe5387154c1c8b793779432db213c0dab024 (diff)
download	qtwebengine-chromium-94f1317917fab94923e246016ec9f42913298065.tar.gz