From 23b231e6ced518daf63ac549f1618bf3d2397ce5 Mon Sep 17 00:00:00 2001
From: Shrek Shao <shrekshao@google.com>
Date: Mon, 18 Jul 2022 10:44:11 +0000
Subject: [Backport] Security bug 1340654

Cherry-pick of patch orignally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3765222:
Fix dawn write handle data update OOB check

(cherry picked from commit 0ba6ae3d447de7bc599a191f6792a4e6676f10a3)

Bug: chromium:1340654
Change-Id: I9d87cb868eccc380f707ab6c3c6bdc26c386fbfc
Commit-Queue: Shrek Shao <shrekshao@google.com>
Cr-Original-Commit-Position: refs/heads/main@{#1021911}
Reviewed-by: Simon Hangl <simonha@google.com>
Owners-Override: Simon Hangl <simonha@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1660}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../service/dawn_service_memory_transfer_service.cc           | 11 +++++++++--
 chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc    |  1 -
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc b/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc
index 2df536f5bdb..e5e2838dcc6 100644
--- a/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc
+++ b/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc
@@ -29,7 +29,8 @@ class ReadHandleImpl
                            size_t offset,
                            size_t size,
                            void* serializePointer) override {
-    DCHECK_LE(size + offset, size_);
+    DCHECK_LE(offset, size_);
+    DCHECK_LE(size, size_ - offset);
     // Copy the data into the shared memory allocation.
     // In the case of buffer mapping, this is the mapped GPU memory which we
     // copy into client-visible shared memory.
@@ -56,10 +57,16 @@ class WriteHandleImpl
                              size_t size) override {
     // Nothing is serialized because we're using shared memory.
     DCHECK_EQ(deserialize_size, 0u);
-    DCHECK_LE(size + offset, size_);
     DCHECK(mTargetData);
     DCHECK(ptr_);
 
+    if (offset > mDataLength || size > mDataLength - offset) {
+      return false;
+    }
+    if (offset > size_ || size > size_ - offset) {
+      return false;
+    }
+
     // Copy from shared memory into the target buffer.
     // mTargetData will always be the starting address
     // of the backing buffer after the dawn side change.
diff --git a/chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc b/chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc
index 4b548990ea8..203a84a1e57 100644
--- a/chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc
+++ b/chromium/gpu/command_buffer/service/webgpu_decoder_impl.cc
@@ -1026,7 +1026,6 @@ error::Error WebGPUDecoderImpl::HandleDawnCommands(
                "WebGPUDecoderImpl::HandleDawnCommands", "bytes", size);
 
   if (!wire_server_->HandleCommands(shm_commands, size)) {
-    NOTREACHED();
     return error::kLostContext;
   }
 
-- 
cgit v1.2.1