Chromium Code Reviews Chromium Code Reviews
Issue 198253002:
Add bounds validation to AsyncPixelTransfersCompletedQuery::End (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "gpu/command_buffer/service/query_manager.h" | 5 #include "gpu/command_buffer/service/query_manager.h" |
| 6 | 6 |
| 7 #include "base/atomicops.h" | 7 #include "base/atomicops.h" |
| 8 #include "base/bind.h" | 8 #include "base/bind.h" |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/memory/shared_memory.h" | 10 #include "base/memory/shared_memory.h" |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 88 AsyncMemoryParams mem_params; | 88 AsyncMemoryParams mem_params; |
| 89 // Get the real shared memory since it might need to be duped to prevent | 89 // Get the real shared memory since it might need to be duped to prevent |
| 90 // use-after-free of the memory. | 90 // use-after-free of the memory. |
| 91 Buffer buffer = manager()->decoder()->GetSharedMemoryBuffer(shm_id()); | 91 Buffer buffer = manager()->decoder()->GetSharedMemoryBuffer(shm_id()); |
| 92 if (!buffer.shared_memory) | 92 if (!buffer.shared_memory) |
| 93 return false; | 93 return false; |
| 94 mem_params.shared_memory = buffer.shared_memory; | 94 mem_params.shared_memory = buffer.shared_memory; |
| 95 mem_params.shm_size = buffer.size; | 95 mem_params.shm_size = buffer.size; |
| 96 mem_params.shm_data_offset = shm_offset(); | 96 mem_params.shm_data_offset = shm_offset(); |
| 97 mem_params.shm_data_size = sizeof(QuerySync); | 97 mem_params.shm_data_size = sizeof(QuerySync); |
| 98 uint32 end = mem_params.shm_data_offset + mem_params.shm_data_size; | |
| 99 if (end > mem_params.shm_size || end < mem_params.shm_data_offset) | |
|
Jorge Lucangeli Obes
2014/03/12 22:56:44
does |shm_size| just track a size or does it track
| |
| 100 return false; | |
| 98 | 101 |
| 99 observer_ = new AsyncPixelTransferCompletionObserverImpl(submit_count); | 102 observer_ = new AsyncPixelTransferCompletionObserverImpl(submit_count); |
| 100 | 103 |
| 101 // Ask AsyncPixelTransferDelegate to run completion callback after all | 104 // Ask AsyncPixelTransferDelegate to run completion callback after all |
| 102 // previous async transfers are done. No guarantee that callback is run | 105 // previous async transfers are done. No guarantee that callback is run |
| 103 // on the current thread. | 106 // on the current thread. |
| 104 manager()->decoder()->GetAsyncPixelTransferManager() | 107 manager()->decoder()->GetAsyncPixelTransferManager() |
| 105 ->AsyncNotifyCompletion(mem_params, observer_); | 108 ->AsyncNotifyCompletion(mem_params, observer_); |
| 106 | 109 |
| 107 return AddToPendingTransferQueue(submit_count); | 110 return AddToPendingTransferQueue(submit_count); |
| (...skipping 560 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 668 bool QueryManager::EndQuery(Query* query, base::subtle::Atomic32 submit_count) { | 671 bool QueryManager::EndQuery(Query* query, base::subtle::Atomic32 submit_count) { |
| 669 DCHECK(query); | 672 DCHECK(query); |
| 670 if (!RemovePendingQuery(query)) { | 673 if (!RemovePendingQuery(query)) { |
| 671 return false; | 674 return false; |
| 672 } | 675 } |
| 673 return query->End(submit_count); | 676 return query->End(submit_count); |
| 674 } | 677 } |
| 675 | 678 |
| 676 } // namespace gles2 | 679 } // namespace gles2 |
| 677 } // namespace gpu | 680 } // namespace gpu |
| OLD | NEW |
