diff options
| author | Shrek Shao <shrekshao@google.com> | 2022-07-18 10:44:11 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-08-03 10:07:54 +0000 |
| commit | 23b231e6ced518daf63ac549f1618bf3d2397ce5 (patch) | |
| tree | 38a10fe356b182f9d11001dffb483d10bc2b242c | |
| parent | 25e7c21bb373827a7b94d3d3b0f6de4dacf14399 (diff) | |
| download | qtwebengine-chromium-23b231e6ced518daf63ac549f1618bf3d2397ce5.tar.gz | |
[Backport] Security bug 1340654
Cherry-pick of patch orignally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3765222:
Fix dawn write handle data update OOB check
(cherry picked from commit 0ba6ae3d447de7bc599a191f6792a4e6676f10a3)
Bug: chromium:1340654
Change-Id: I9d87cb868eccc380f707ab6c3c6bdc26c386fbfc
Commit-Queue: Shrek Shao <shrekshao@google.com>
Cr-Original-Commit-Position: refs/heads/main@{#1021911}
Reviewed-by: Simon Hangl <simonha@google.com>
Owners-Override: Simon Hangl <simonha@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1660}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc | 11 | ||||
| -rw-r--r-- | chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc | 1 |
2 files changed, 9 insertions, 3 deletions
diff --git a/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc b/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc index 2df536f5bdb..e5e2838dcc6 100644 --- a/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc +++ b/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc @@ -29,7 +29,8 @@ class ReadHandleImpl size_t offset, size_t size, void* serializePointer) override { - DCHECK_LE(size + offset, size_); + DCHECK_LE(offset, size_); + DCHECK_LE(size, size_ - offset); // Copy the data into the shared memory allocation. // In the case of buffer mapping, this is the mapped GPU memory which we // copy into client-visible shared memory. @@ -56,10 +57,16 @@ class WriteHandleImpl size_t size) override { // Nothing is serialized because we're using shared memory. DCHECK_EQ(deserialize_size, 0u); - DCHECK_LE(size + offset, size_); DCHECK(mTargetData); DCHECK(ptr_); + if (offset > mDataLength || size > mDataLength - offset) { + return false; + } + if (offset > size_ || size > size_ - offset) { + return false; + } + // Copy from shared memory into the target buffer. // mTargetData will always be the starting address // of the backing buffer after the dawn side change. diff --git a/chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc b/chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc index 4b548990ea8..203a84a1e57 100644 --- a/chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc +++ b/chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc @@ -1026,7 +1026,6 @@ error::Error WebGPUDecoderImpl::HandleDawnCommands( "WebGPUDecoderImpl::HandleDawnCommands", "bytes", size); if (!wire_server_->HandleCommands(shm_commands, size)) { - NOTREACHED(); return error::kLostContext; } |