[Backport] Fix of CVE-2018-17479 (1/2)

gpu: fix GetResultAs callsites

GetResultAs returns a pointer to the transfer buffer. Under some
conditions, the transfer buffer may be reallocated, so we need to make
sure a GetResultAs-returned pointer isn't used across such a
reallocation.

Bug: 905336
Change-Id: I1a9699d38149c56ee5430bff125a1168ca053696
Reviewed-on: https://chromium-review.googlesource.com/c/1336152
Commit-Queue: Antoine Labour <piman@chromium.org>
Reviewed-by: James Darpinian <jdarpinian@chromium.org>
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#608145}(cherry picked from commit 0d836853c4944a4afc507be85613b998476898fc)
Reviewed-on: https://chromium-review.googlesource.com/c/1336518
Reviewed-by: Antoine Labour <piman@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#1089}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

1 files changed, 13 insertions, 11 deletions

diff --git a/chromium/gpu/command_buffer/client/gles2_implementation.cc b/chromium/gpu/command_buffer/client/gles2_implementation.cc
index 33cd9dce8be..8c0b78066e0 100644
--- a/chromium/gpu/command_buffer/client/gles2_implementation.cc
+++ b/chromium/gpu/command_buffer/client/gles2_implementation.cc
@@ -1606,15 +1606,15 @@ GLint GLES2Implementation::GetUniformLocation(
 
 bool GLES2Implementation::GetUniformIndicesHelper(
     GLuint program, GLsizei count, const char* const* names, GLuint* indices) {
+  if (!PackStringsToBucket(count, names, NULL, "glGetUniformIndices")) {
+    return false;
+  }
   typedef cmds::GetUniformIndices::Result Result;
   Result* result = GetResultAs<Result*>();
   if (!result) {
     return false;
   }
   result->SetNumResults(0);
-  if (!PackStringsToBucket(count, names, NULL, "glGetUniformIndices")) {
-    return false;
-  }
   helper_->GetUniformIndices(program, kResultBucketId,
                              GetResultShmId(), GetResultShmOffset());
   WaitForCmd();
@@ -3240,7 +3240,8 @@ bool GLES2Implementation::GetActiveAttribHelper(
   helper_->GetActiveAttrib(program, index, kResultBucketId,
                            GetResultShmId(), GetResultShmOffset());
   WaitForCmd();
-  if (result->success) {
+  bool success = !!result->success;
+  if (success) {
     if (size) {
       *size = result->size;
     }
@@ -3249,6 +3250,7 @@ bool GLES2Implementation::GetActiveAttribHelper(
     }
     if (length || name) {
       std::vector<int8_t> str;
+      // Note: this can invalidate |result|.
       GetBucketContents(kResultBucketId, &str);
       GLsizei max_size = std::min(static_cast<size_t>(bufsize) - 1,
                                   std::max(static_cast<size_t>(0),
@@ -3262,7 +3264,7 @@ bool GLES2Implementation::GetActiveAttribHelper(
       }
     }
   }
-  return result->success != 0;
+  return success;
 }
 
 void GLES2Implementation::GetActiveAttrib(
@@ -3479,12 +3481,6 @@ void GLES2Implementation::GetActiveUniformBlockiv(
 bool GLES2Implementation::GetActiveUniformsivHelper(
     GLuint program, GLsizei count, const GLuint* indices,
     GLenum pname, GLint* params) {
-  typedef cmds::GetActiveUniformsiv::Result Result;
-  Result* result = GetResultAs<Result*>();
-  if (!result) {
-    return false;
-  }
-  result->SetNumResults(0);
   base::CheckedNumeric<size_t> bytes = static_cast<size_t>(count);
   bytes *= sizeof(GLuint);
   if (!bytes.IsValid()) {
@@ -3492,6 +3488,12 @@ bool GLES2Implementation::GetActiveUniformsivHelper(
     return false;
   }
   SetBucketContents(kResultBucketId, indices, bytes.ValueOrDefault(0));
+  typedef cmds::GetActiveUniformsiv::Result Result;
+  Result* result = GetResultAs<Result*>();
+  if (!result) {
+    return false;
+  }
+  result->SetNumResults(0);
   helper_->GetActiveUniformsiv(
       program, kResultBucketId, pname, GetResultShmId(), GetResultShmOffset());
   WaitForCmd();