content/browser/renderer_host/software_frame_manager.cc - Issue 196283018: Fix integer overflow in software compositor

Side by Side Diff: content/browser/renderer_host/software_frame_manager.cc

Issue 196283018: Fix integer overflow in software compositor (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 6 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/browser/renderer_host/software_frame_manager.h"	5 #include "content/browser/renderer_host/software_frame_manager.h"

6	6

7 #include "base/bind.h"	7 #include "base/bind.h"

8 #include "base/callback_helpers.h"	8 #include "base/callback_helpers.h"

9 #include "base/debug/alias.h"	9 #include "base/debug/alias.h"

	10 #include "base/numerics/safe_math.h"

10 #include "content/browser/renderer_host/dip_util.h"	11 #include "content/browser/renderer_host/dip_util.h"

11 #include "content/public/browser/user_metrics.h"	12 #include "content/public/browser/user_metrics.h"

12	13

13 namespace {	14 namespace {

14	15

15 void ReleaseMailbox(scoped_refptr<content::SoftwareFrame> frame,	16 void ReleaseMailbox(scoped_refptr<content::SoftwareFrame> frame,

16 uint32 sync_point,	17 uint32 sync_point,

17 bool lost_resource) {}	18 bool lost_resource) {}

18	19

19 } // namespace	20 } // namespace

(...skipping 69 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
89 scoped_ptr<base::SharedMemory> shared_memory(	90 scoped_ptr<base::SharedMemory> shared_memory(

90 new base::SharedMemory(frame_data->handle, true,	91 new base::SharedMemory(frame_data->handle, true,

91 process_handle));	92 process_handle));

92 #else	93 #else

93 scoped_ptr<base::SharedMemory> shared_memory(	94 scoped_ptr<base::SharedMemory> shared_memory(

94 new base::SharedMemory(frame_data->handle, true));	95 new base::SharedMemory(frame_data->handle, true));

95 #endif	96 #endif

96	97

97 // The NULL handle is used in testing.	98 // The NULL handle is used in testing.

98 if (base::SharedMemory::IsHandleValid(shared_memory->handle())) {	99 if (base::SharedMemory::IsHandleValid(shared_memory->handle())) {

99 const size_t size_in_bytes = 4 * frame_data->size.GetArea();	100 base::CheckedNumeric<size_t> size_in_bytes_checked =

	101 base::CheckedNumeric<size_t>(4) *

	102 base::CheckedNumeric<size_t>(frame_data->size.width()) *

	103 base::CheckedNumeric<size_t>(frame_data->size.height());
	jschuh 2014/03/14 06:14:12 This is fine, but is there a good reason not to ha This is fine, but is there a good reason not to have overflow checks in gfx::SizeBase::GetArea() and gfx::SizeBase::Expand()? We can just have integer overflow saturate to numeric_limits<Type>::max(), to preserve the current interface (and it parallels flooring the negative values to zero elsewhere in the class). ccameron 2014/03/14 19:38:14 Filed issue 352761 on it. Show quoted text On 2014/03/14 06:14:12, Justin Schuh wrote: > This is fine, but is there a good reason not to have overflow checks in > gfx::SizeBase::GetArea() and gfx::SizeBase::Expand()? We can just have integer > overflow saturate to numeric_limits<Type>::max(), to preserve the current > interface (and it parallels flooring the negative values to zero elsewhere in > the class). Filed issue 352761 on it.
	104 if (!size_in_bytes_checked.IsValid()) {

	105 DLOG(ERROR) << "Integer overflow when computing bytes to map.";

	106 return false;

	107 }

	108 size_t size_in_bytes = size_in_bytes_checked.ValueOrDie();

100 #ifdef OS_WIN	109 #ifdef OS_WIN

101 if (!shared_memory->Map(0)) {	110 if (!shared_memory->Map(0)) {

102 DLOG(ERROR) << "Unable to map renderer memory.";	111 DLOG(ERROR) << "Unable to map renderer memory.";

103 RecordAction(	112 RecordAction(

104 base::UserMetricsAction("BadMessageTerminate_SharedMemoryManager1"));	113 base::UserMetricsAction("BadMessageTerminate_SharedMemoryManager1"));

105 return false;	114 return false;

106 }	115 }

107	116

108 if (shared_memory->mapped_size() < size_in_bytes) {	117 if (shared_memory->mapped_size() < size_in_bytes) {

109 DLOG(ERROR) << "Shared memory too small for given rectangle";	118 DLOG(ERROR) << "Shared memory too small for given rectangle";

(...skipping 87 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
197 }	206 }

198	207

199 void SoftwareFrameManager::EvictCurrentFrame() {	208 void SoftwareFrameManager::EvictCurrentFrame() {

200 DCHECK(HasCurrentFrame());	209 DCHECK(HasCurrentFrame());

201 DiscardCurrentFrame();	210 DiscardCurrentFrame();

202 if (client_)	211 if (client_)

203 client_->ReleaseReferencesToSoftwareFrame();	212 client_->ReleaseReferencesToSoftwareFrame();

204 }	213 }

205	214

206 } // namespace content	215 } // namespace content

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »