Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(155)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: gpu/command_buffer/service/query_manager.cc

Issue 198253002: Add bounds validation to AsyncPixelTransfersCompletedQuery::End (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 6 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: gpu/command_buffer/service/query_manager.cc
diff --git a/gpu/command_buffer/service/query_manager.cc b/gpu/command_buffer/service/query_manager.cc
index f323c3ee9288caa2bc0a3b304f077a0dd6ca0cd1..5d5757769f4457a2cac8bd2107b8874ab7c22a36 100644
--- a/gpu/command_buffer/service/query_manager.cc
+++ b/gpu/command_buffer/service/query_manager.cc
@@ -95,6 +95,9 @@ bool AsyncPixelTransfersCompletedQuery::End(
mem_params.shm_size = buffer.size;
mem_params.shm_data_offset = shm_offset();
mem_params.shm_data_size = sizeof(QuerySync);
+ uint32 end = mem_params.shm_data_offset + mem_params.shm_data_size;
+ if (end > mem_params.shm_size || end < mem_params.shm_data_offset)
Jorge Lucangeli Obes 2014/03/12 22:56:44 does |shm_size| just track a size or does it track
+ return false;
observer_ = new AsyncPixelTransferCompletionObserverImpl(submit_count);
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698