Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
220093002:
cc: Prevent integer overflow with software TextureMailbox. (Closed)
|
Created:
6 years, 8 months ago by danakj Modified:
6 years, 8 months ago CC:
chromium-reviews, yusukes+watch_chromium.org, yukishiino+watch_chromium.org, jam, penghuang+watch_chromium.org, sievers+watch_chromium.org, jbauman+watch_chromium.org, nona+watch_chromium.org, darin-cc_chromium.org, kalyank, piman+watch_chromium.org, cc-bugs_chromium.org, James Su, danakj+watch_chromium.org, miu+watch_chromium.org Base URL:
svn://svn.chromium.org/chrome/trunk/src Visibility:
Public. |
Descriptioncc: Prevent integer overflow with software TextureMailbox.
Perform a CHECK() when creating a software TextureMailbox since these
come from outside of cc's control.
Do unsigned integer multiplication to produce an unsigned result,
preventing overflow when possible.
R=piman@chromium.org
BUG=348332
Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=260969
Patch Set 1 #
Total comments: 2
Messages
Total messages: 21 (0 generated)
lgtm https://codereview.chromium.org/220093002/diff/1/cc/resources/texture_mailbox.cc File cc/resources/texture_mailbox.cc (right): https://codereview.chromium.org/220093002/diff/1/cc/resources/texture_mailbox... cc/resources/texture_mailbox.cc:33: CHECK(CheckedSharedMemorySizeInBytes().IsValid()); Can cc generate one for mask layers (not tiled)?
https://codereview.chromium.org/220093002/diff/1/cc/resources/texture_mailbox.cc File cc/resources/texture_mailbox.cc (right): https://codereview.chromium.org/220093002/diff/1/cc/resources/texture_mailbox... cc/resources/texture_mailbox.cc:33: CHECK(CheckedSharedMemorySizeInBytes().IsValid()); On 2014/03/31 22:33:54, piman wrote: > Can cc generate one for mask layers (not tiled)? We don't make a TextureMailbox in that case. It's a TiledLayer/PictureLayer with a single tile. Perhaps overflow in other places but not in this code path. I'm not forgetting something tho am I?
The CQ bit was checked by danakj@chromium.org
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/danakj@chromium.org/220093002/1
On Mon, Mar 31, 2014 at 3:34 PM, <danakj@chromium.org> wrote: > > https://codereview.chromium.org/220093002/diff/1/cc/ > resources/texture_mailbox.cc > File cc/resources/texture_mailbox.cc (right): > > https://codereview.chromium.org/220093002/diff/1/cc/ > resources/texture_mailbox.cc#newcode33 > cc/resources/texture_mailbox.cc:33: > CHECK(CheckedSharedMemorySizeInBytes().IsValid()); > On 2014/03/31 22:33:54, piman wrote: > >> Can cc generate one for mask layers (not tiled)? >> > > We don't make a TextureMailbox in that case. It's a > TiledLayer/PictureLayer with a single tile. Perhaps overflow in other > places but not in this code path. I'm not forgetting something tho am I? > Oh, right. We make a SharedBitmap not a TextureMailbox. Separately we may want to check those code paths. > > https://codereview.chromium.org/220093002/ > To unsubscribe from this group and stop receiving emails from it, send an email to chromium-reviews+unsubscribe@chromium.org.
On 2014/03/31 22:40:45, piman wrote: > On Mon, Mar 31, 2014 at 3:34 PM, <mailto:danakj@chromium.org> wrote: > > > > > https://codereview.chromium.org/220093002/diff/1/cc/ > > resources/texture_mailbox.cc > > File cc/resources/texture_mailbox.cc (right): > > > > https://codereview.chromium.org/220093002/diff/1/cc/ > > resources/texture_mailbox.cc#newcode33 > > cc/resources/texture_mailbox.cc:33: > > CHECK(CheckedSharedMemorySizeInBytes().IsValid()); > > On 2014/03/31 22:33:54, piman wrote: > > > >> Can cc generate one for mask layers (not tiled)? > >> > > > > We don't make a TextureMailbox in that case. It's a > > TiledLayer/PictureLayer with a single tile. Perhaps overflow in other > > places but not in this code path. I'm not forgetting something tho am I? > > > > Oh, right. We make a SharedBitmap not a TextureMailbox. Separately we may > want to check those code paths. Right, true.
On 2014/03/31 22:41:37, danakj wrote: > On 2014/03/31 22:40:45, piman wrote: > > On Mon, Mar 31, 2014 at 3:34 PM, <mailto:danakj@chromium.org> wrote: > > > > > > > > https://codereview.chromium.org/220093002/diff/1/cc/ > > > resources/texture_mailbox.cc > > > File cc/resources/texture_mailbox.cc (right): > > > > > > https://codereview.chromium.org/220093002/diff/1/cc/ > > > resources/texture_mailbox.cc#newcode33 > > > cc/resources/texture_mailbox.cc:33: > > > CHECK(CheckedSharedMemorySizeInBytes().IsValid()); > > > On 2014/03/31 22:33:54, piman wrote: > > > > > >> Can cc generate one for mask layers (not tiled)? > > >> > > > > > > We don't make a TextureMailbox in that case. It's a > > > TiledLayer/PictureLayer with a single tile. Perhaps overflow in other > > > places but not in this code path. I'm not forgetting something tho am I? > > > > > > > Oh, right. We make a SharedBitmap not a TextureMailbox. Separately we may > > want to check those code paths. > > Right, true. HostSharedBitmapManager::GetSharedBitmapFromId already checks for overflow using cc::SharedBitmap::GetSizeInBytes, so that's not an issue.
On Mon, Mar 31, 2014 at 6:44 PM, <jbauman@chromium.org> wrote: > On 2014/03/31 22:41:37, danakj wrote: > >> On 2014/03/31 22:40:45, piman wrote: >> > On Mon, Mar 31, 2014 at 3:34 PM, <mailto:danakj@chromium.org> wrote: >> > >> > > >> > > https://codereview.chromium.org/220093002/diff/1/cc/ >> > > resources/texture_mailbox.cc >> > > File cc/resources/texture_mailbox.cc (right): >> > > >> > > https://codereview.chromium.org/220093002/diff/1/cc/ >> > > resources/texture_mailbox.cc#newcode33 >> > > cc/resources/texture_mailbox.cc:33: >> > > CHECK(CheckedSharedMemorySizeInBytes().IsValid()); >> > > On 2014/03/31 22:33:54, piman wrote: >> > > >> > >> Can cc generate one for mask layers (not tiled)? >> > >> >> > > >> > > We don't make a TextureMailbox in that case. It's a >> > > TiledLayer/PictureLayer with a single tile. Perhaps overflow in other >> > > places but not in this code path. I'm not forgetting something tho am >> I? >> > > >> > >> > Oh, right. We make a SharedBitmap not a TextureMailbox. Separately we >> may >> > want to check those code paths. >> > > Right, true. >> > > HostSharedBitmapManager::GetSharedBitmapFromId already checks for > overflow using > cc::SharedBitmap::GetSizeInBytes, so that's not an issue. > Oh, though that method is multiplying ints instead of size_t's so it'll overflow when it doesn't need to. > > https://codereview.chromium.org/220093002/ > To unsubscribe from this group and stop receiving emails from it, send an email to chromium-reviews+unsubscribe@chromium.org.
On Mon, Mar 31, 2014 at 3:44 PM, <jbauman@chromium.org> wrote: > On 2014/03/31 22:41:37, danakj wrote: > >> On 2014/03/31 22:40:45, piman wrote: >> > On Mon, Mar 31, 2014 at 3:34 PM, <mailto:danakj@chromium.org> wrote: >> > >> > > >> > > https://codereview.chromium.org/220093002/diff/1/cc/ >> > > resources/texture_mailbox.cc >> > > File cc/resources/texture_mailbox.cc (right): >> > > >> > > https://codereview.chromium.org/220093002/diff/1/cc/ >> > > resources/texture_mailbox.cc#newcode33 >> > > cc/resources/texture_mailbox.cc:33: >> > > CHECK(CheckedSharedMemorySizeInBytes().IsValid()); >> > > On 2014/03/31 22:33:54, piman wrote: >> > > >> > >> Can cc generate one for mask layers (not tiled)? >> > >> >> > > >> > > We don't make a TextureMailbox in that case. It's a >> > > TiledLayer/PictureLayer with a single tile. Perhaps overflow in other >> > > places but not in this code path. I'm not forgetting something tho am >> I? >> > > >> > >> > Oh, right. We make a SharedBitmap not a TextureMailbox. Separately we >> may >> > want to check those code paths. >> > > Right, true. >> > > HostSharedBitmapManager::GetSharedBitmapFromId already checks for > overflow using > cc::SharedBitmap::GetSizeInBytes, so that's not an issue. > Looking at ResourceProvider::CreateBitmap, we'd fail shared_bitmap_manager_->AllocateSharedBitmap(size), and fall back to 'pixels = new uint8_t[4 * size.GetArea()];' which would be bad I think. > https://codereview.chromium.org/220093002/ > To unsubscribe from this group and stop receiving emails from it, send an email to chromium-reviews+unsubscribe@chromium.org.
On Mon, Mar 31, 2014 at 6:46 PM, Antoine Labour <piman@chromium.org> wrote: > > > > On Mon, Mar 31, 2014 at 3:44 PM, <jbauman@chromium.org> wrote: > >> On 2014/03/31 22:41:37, danakj wrote: >> >>> On 2014/03/31 22:40:45, piman wrote: >>> > On Mon, Mar 31, 2014 at 3:34 PM, <mailto:danakj@chromium.org> wrote: >>> > >>> > > >>> > > https://codereview.chromium.org/220093002/diff/1/cc/ >>> > > resources/texture_mailbox.cc >>> > > File cc/resources/texture_mailbox.cc (right): >>> > > >>> > > https://codereview.chromium.org/220093002/diff/1/cc/ >>> > > resources/texture_mailbox.cc#newcode33 >>> > > cc/resources/texture_mailbox.cc:33: >>> > > CHECK(CheckedSharedMemorySizeInBytes().IsValid()); >>> > > On 2014/03/31 22:33:54, piman wrote: >>> > > >>> > >> Can cc generate one for mask layers (not tiled)? >>> > >> >>> > > >>> > > We don't make a TextureMailbox in that case. It's a >>> > > TiledLayer/PictureLayer with a single tile. Perhaps overflow in other >>> > > places but not in this code path. I'm not forgetting something tho >>> am I? >>> > > >>> > >>> > Oh, right. We make a SharedBitmap not a TextureMailbox. Separately we >>> may >>> > want to check those code paths. >>> >> >> Right, true. >>> >> >> HostSharedBitmapManager::GetSharedBitmapFromId already checks for >> overflow using >> cc::SharedBitmap::GetSizeInBytes, so that's not an issue. >> > > Looking at ResourceProvider::CreateBitmap, we'd > fail shared_bitmap_manager_->AllocateSharedBitmap(size), and fall back to > 'pixels = new uint8_t[4 * size.GetArea()];' which would be bad I think. > We should not fallback if the Allocate fails.. there's no point in having an unsharable resource when we need one. But we should also not make shared memory allocation in the browser compositor. > > >> https://codereview.chromium.org/220093002/ >> > > To unsubscribe from this group and stop receiving emails from it, send an email to chromium-reviews+unsubscribe@chromium.org.
The CQ bit was unchecked by commit-bot@chromium.org
Retried try job too often on win_rel for step(s) base_unittests, browser_tests, interactive_ui_tests, net_unittests, unit_tests http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=win_rel&nu...
The CQ bit was checked by danakj@chromium.org
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/danakj@chromium.org/220093002/1
The CQ bit was unchecked by commit-bot@chromium.org
Retried try job too often on win_rel for step(s) net_unittests http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=win_rel&nu...
The CQ bit was checked by danakj@chromium.org
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/danakj@chromium.org/220093002/1
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/danakj@chromium.org/220093002/1
Message was sent while issue was closed.
Change committed as 260969 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
