chrome/browser/renderer_host/backing_store_x.cc - Issue 2786012: Merge 49131 - Add rgb_frame size tracking and resizing to fix security issue ...

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: chrome/browser/renderer_host/backing_store_x.cc

Issue 2786012: Merge 49131 - Add rgb_frame size tracking and resizing to fix security issue ... (Closed) Base URL: svn://svn.chromium.org/chrome/branches/375/src/

Patch Set: Created 10 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: chrome/browser/renderer_host/backing_store_x.cc

===================================================================

--- chrome/browser/renderer_host/backing_store_x.cc (revision 49558)

+++ chrome/browser/renderer_host/backing_store_x.cc (working copy)

@@ -16,6 +16,7 @@

#include <algorithm>

#include <utility>

+#include <limits>

#include "app/surface/transport_dib.h"

#include "app/x11_util.h"

@@ -29,6 +30,14 @@

#include "skia/ext/platform_canvas.h"

#include "third_party/skia/include/core/SkBitmap.h"

+// Assume that somewhere along the line, someone will do width * height * 4

+// with signed numbers. If the maximum value is 2**31, then 2**31 / 4 =

+// 2**29 and floor(sqrt(2**29)) = 23170.

+// Max height and width for layers

+static const int kMaxVideoLayerSize = 23170;

// X Backing Stores:

// Unlike Windows, where the backing store is kept in heap memory, we keep our

@@ -160,10 +169,9 @@

const int width = bitmap_rect.width();

const int height = bitmap_rect.height();

- // Assume that somewhere along the line, someone will do width * height * 4

- // with signed numbers. If the maximum value is 2**31, then 2**31 / 4 =

- // 2**29 and floor(sqrt(2**29)) = 23170.

- if (width > 23170 || height > 23170)

+ if (width <= 0 || width > kMaxVideoLayerSize ||

+ height <= 0 || height > kMaxVideoLayerSize)

return;

TransportDIB* dib = process->GetTransportDIB(bitmap);

@@ -294,8 +302,16 @@

memset(&shminfo, 0, sizeof(shminfo));

image = XShmCreateImage(display_, visual, 32,

ZPixmap, NULL, &shminfo, width, height);

+ if (!image) {

+ return false;

+ }

// Create the shared memory segment for the image and map it.

+ if (image->bytes_per_line == 0 || image->height == 0 ||

+ (std::numeric_limits<size_t>::max() / image->bytes_per_line) >

+ static_cast<size_t>(image->height)) {

+ XDestroyImage(image);

+ return false;

+ }

shminfo.shmid = shmget(IPC_PRIVATE, image->bytes_per_line * image->height,

IPC_CREAT|0666);

if (shminfo.shmid == -1) {

« no previous file with comments | « no previous file | chrome/browser/renderer_host/video_layer_x.h » ('j') | no next file with comments »