| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/renderer_host/software_frame_manager.h" | 5 #include "content/browser/renderer_host/software_frame_manager.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/callback_helpers.h" | 8 #include "base/callback_helpers.h" |
| 9 #include "base/debug/alias.h" | 9 #include "base/debug/alias.h" |
| 10 #include "base/numerics/safe_math.h" | 10 #include "base/numerics/safe_math.h" |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 90 scoped_ptr<base::SharedMemory> shared_memory( | 90 scoped_ptr<base::SharedMemory> shared_memory( |
| 91 new base::SharedMemory(frame_data->handle, true, | 91 new base::SharedMemory(frame_data->handle, true, |
| 92 process_handle)); | 92 process_handle)); |
| 93 #else | 93 #else |
| 94 scoped_ptr<base::SharedMemory> shared_memory( | 94 scoped_ptr<base::SharedMemory> shared_memory( |
| 95 new base::SharedMemory(frame_data->handle, true)); | 95 new base::SharedMemory(frame_data->handle, true)); |
| 96 #endif | 96 #endif |
| 97 | 97 |
| 98 // The NULL handle is used in testing. | 98 // The NULL handle is used in testing. |
| 99 if (base::SharedMemory::IsHandleValid(shared_memory->handle())) { | 99 if (base::SharedMemory::IsHandleValid(shared_memory->handle())) { |
| 100 base::CheckedNumeric<size_t> size_in_bytes_checked = | 100 DCHECK(frame_data->CheckedSizeInBytes().IsValid()) |
| 101 base::CheckedNumeric<size_t>(4) * | 101 << "Integer overflow when computing bytes to map."; |
| 102 base::CheckedNumeric<size_t>(frame_data->size.width()) * | 102 size_t size_in_bytes = frame_data->SizeInBytes(); |
| 103 base::CheckedNumeric<size_t>(frame_data->size.height()); | |
| 104 if (!size_in_bytes_checked.IsValid()) { | |
| 105 DLOG(ERROR) << "Integer overflow when computing bytes to map."; | |
| 106 return false; | |
| 107 } | |
| 108 size_t size_in_bytes = size_in_bytes_checked.ValueOrDie(); | |
| 109 #ifdef OS_WIN | 103 #ifdef OS_WIN |
| 110 if (!shared_memory->Map(0)) { | 104 if (!shared_memory->Map(0)) { |
| 111 DLOG(ERROR) << "Unable to map renderer memory."; | 105 DLOG(ERROR) << "Unable to map renderer memory."; |
| 112 RecordAction( | 106 RecordAction( |
| 113 base::UserMetricsAction("BadMessageTerminate_SharedMemoryManager1")); | 107 base::UserMetricsAction("BadMessageTerminate_SharedMemoryManager1")); |
| 114 return false; | 108 return false; |
| 115 } | 109 } |
| 116 | 110 |
| 117 if (shared_memory->mapped_size() < size_in_bytes) { | 111 if (shared_memory->mapped_size() < size_in_bytes) { |
| 118 DLOG(ERROR) << "Shared memory too small for given rectangle"; | 112 DLOG(ERROR) << "Shared memory too small for given rectangle"; |
| (...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 206 } | 200 } |
| 207 | 201 |
| 208 void SoftwareFrameManager::EvictCurrentFrame() { | 202 void SoftwareFrameManager::EvictCurrentFrame() { |
| 209 DCHECK(HasCurrentFrame()); | 203 DCHECK(HasCurrentFrame()); |
| 210 DiscardCurrentFrame(); | 204 DiscardCurrentFrame(); |
| 211 if (client_) | 205 if (client_) |
| 212 client_->ReleaseReferencesToSoftwareFrame(); | 206 client_->ReleaseReferencesToSoftwareFrame(); |
| 213 } | 207 } |
| 214 | 208 |
| 215 } // namespace content | 209 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 196423027:
Move SoftwareFrameData overflow checks to the IPC code. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src