chrome/browser/renderer_host/video_layer_x.cc - Issue 2786012: Merge 49131 - Add rgb_frame size tracking and resizing to fix security issue ...

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: chrome/browser/renderer_host/video_layer_x.cc

Issue 2786012: Merge 49131 - Add rgb_frame size tracking and resizing to fix security issue ... (Closed) Base URL: svn://svn.chromium.org/chrome/branches/375/src/

Patch Set: Created 10 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: chrome/browser/renderer_host/video_layer_x.cc

===================================================================

--- chrome/browser/renderer_host/video_layer_x.cc (revision 49558)

+++ chrome/browser/renderer_host/video_layer_x.cc (working copy)

@@ -8,6 +8,14 @@

#include "chrome/browser/renderer_host/render_process_host.h"

#include "media/base/yuv_convert.h"

+// Assume that somewhere along the line, someone will do width * height * 4

+// with signed numbers. If the maximum value is 2**31, then 2**31 / 4 =

+// 2**29 and floor(sqrt(2**29)) = 23170.

+// Max height and width for layers

+static const int kMaxVideoLayerSize = 23170;

VideoLayerX::VideoLayerX(RenderWidgetHost* widget,

const gfx::Size& size,

void* visual,

@@ -15,7 +23,8 @@

: VideoLayer(widget, size),

visual_(visual),

depth_(depth),

- display_(x11_util::GetXDisplay()) {

+ display_(x11_util::GetXDisplay()),

+ rgb_frame_size_(0) {

DCHECK(!size.IsEmpty());

// Create our pixmap + GC representing an RGB version of a video frame.

@@ -51,22 +60,22 @@

// Save location and size of destination bitmap.

rgb_rect_ = bitmap_rect;

+ const int width = bitmap_rect.width();

+ const int height = bitmap_rect.height();

+ const size_t new_rgb_frame_size = static_cast<size_t>(width * height * 4);

+ if (width <= 0 || width > kMaxVideoLayerSize ||

+ height <= 0 || height > kMaxVideoLayerSize)

+ return;

// Lazy allocate |rgb_frame_|.

- if (!rgb_frame_.get()) {

+ if (!rgb_frame_.get() || rgb_frame_size_ < new_rgb_frame_size) {

// TODO(scherkus): handle changing dimensions and re-allocating.

CHECK(size() == rgb_rect_.size());

- rgb_frame_.reset(new uint8[rgb_rect_.width() * rgb_rect_.height() * 4]);

+ rgb_frame_.reset(new uint8[new_rgb_frame_size]);

+ rgb_frame_size_ = new_rgb_frame_size;

}

- const int width = bitmap_rect.width();

- const int height = bitmap_rect.height();

- // Assume that somewhere along the line, someone will do width * height * 4

- // with signed numbers. If the maximum value is 2**31, then 2**31 / 4 =

- // 2**29 and floor(sqrt(2**29)) = 23170.

- if (width > 23170 || height > 23170)

- return;

TransportDIB* dib = process->GetTransportDIB(bitmap);

if (!dib)

return;

« no previous file with comments | « chrome/browser/renderer_host/video_layer_x.h ('k') | no next file » | no next file with comments »