diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2022-11-29 11:52:36 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2022-11-29 11:52:36 +0100 |
commit | c1ffb5f937251798307c1834cca3d79266000c06 (patch) | |
tree | 65517eab882e238de91a4e7827fda9ab2666ca1c /chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc | |
parent | d878f684916cef110d8e4474eac3658e47f63e9e (diff) | |
parent | 45f9ded08bb7526984b24ccb5a5327aaf6821676 (diff) | |
download | qtwebengine-chromium-c1ffb5f937251798307c1834cca3d79266000c06.tar.gz |
Merge branch 'upstream-master' into 106-based
Change-Id: I772959dc154151e6eaf38cdeaf586c3acf1e90e8
Diffstat (limited to 'chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc')
-rw-r--r-- | chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc b/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc index 579cd3cbdfc..a15b6f9b3b3 100644 --- a/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc +++ b/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc @@ -30,8 +30,13 @@ class ReadHandleImpl size_t offset, size_t size, void* serializePointer) override { - DCHECK_LE(offset, size_); - DCHECK_LE(size, size_ - offset); + // TODO(crbug.com/1373314): A compromised renderer could have a shared + // memory size not large enough to fit the GPU buffer contents. Instead of + // DCHECK, do a CHECK here to crash the release build. The crash is fine + // since it is not reachable from normal behavior. WebGPU post-V1 will have + // a refactored API. + CHECK_LE(offset, size_); + CHECK_LE(size, size_ - offset); // Copy the data into the shared memory allocation. // In the case of buffer mapping, this is the mapped GPU memory which we // copy into client-visible shared memory. @@ -94,7 +99,10 @@ bool DawnServiceMemoryTransferService::DeserializeReadHandle( size_t deserialize_size, ReadHandle** read_handle) { DCHECK(deserialize_pointer); - DCHECK_EQ(deserialize_size, sizeof(MemoryTransferHandle)); + // Use CHECK instead of DCHECK because the cast of the memory to + // MemoryTransferHandle and subsequent reads won't be safe if deserialize_size + // is too small. + CHECK_EQ(deserialize_size, sizeof(MemoryTransferHandle)); const volatile MemoryTransferHandle* handle = reinterpret_cast<const volatile MemoryTransferHandle*>( deserialize_pointer); @@ -119,7 +127,10 @@ bool DawnServiceMemoryTransferService::DeserializeWriteHandle( size_t deserialize_size, WriteHandle** write_handle) { DCHECK(deserialize_pointer); - DCHECK_EQ(deserialize_size, sizeof(MemoryTransferHandle)); + // Use CHECK instead of DCHECK because the cast of the memory to + // MemoryTransferHandle and subsequent reads won't be safe if deserialize_size + // is too small. + CHECK_EQ(deserialize_size, sizeof(MemoryTransferHandle)); const volatile MemoryTransferHandle* handle = reinterpret_cast<const volatile MemoryTransferHandle*>( deserialize_pointer); |