Supress integer-overflow in TexSubImage2D(3D)Impl

gpu/command_buffer/client/gles2_implementation.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // A class to emulate GLES2 over command buffers.
 
 #include "gpu/command_buffer/client/gles2_implementation.h"
 
 #include <GLES2/gl2.h>
 #include <GLES2/gl2ext.h>
 #include <GLES2/gl2extchromium.h>
 #include <GLES3/gl3.h>
 #include <stddef.h>
 #include <stdint.h>
 #include <algorithm>
 #include <map>
 #include <set>
 #include <sstream>
 #include <string>
 #include "base/atomic_sequence_num.h"
 #include "base/compiler_specific.h"
+#include "base/numerics/safe_math.h"
 #include "base/strings/string_split.h"
 #include "base/strings/stringprintf.h"
 #include "base/sys_info.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/trace_event/memory_allocator_dump.h"
 #include "base/trace_event/memory_dump_manager.h"
 #include "base/trace_event/process_memory_dump.h"
 #include "base/trace_event/trace_event.h"
 #include "gpu/command_buffer/client/buffer_tracker.h"
 #include "gpu/command_buffer/client/gles2_cmd_helper.h"
@@ skipping 3008 matching lines @@
   DCHECK(buffer);
   DCHECK_GE(level, 0);
   DCHECK_GT(height, 0);
   DCHECK_GT(width, 0);
   DCHECK_GE(xoffset, 0);
   DCHECK_GE(yoffset, 0);
 
   const int8_t* source = reinterpret_cast<const int8_t*>(pixels);
   // Transfer by rows.
   while (height) {
-    unsigned int desired_size =
-        buffer_padded_row_size * (height - 1) + unpadded_row_size;
+    base::CheckedNumeric<unsigned int> desired_size = buffer_padded_row_size;

[Zhenyao Mo, 2016/09/06 21:52:10]

I dig a little further into the code.  It seems to me that whoever calls this
function already did the overflow check.  For example, in TexSubImage2D(),
GLES2Util::ComputeImageDataSizesES3() should make sure no overflow is possible
in here.

Can you check further and see why that function doesn't catch the overflow?

[xidachen, 2016/09/07 02:09:42]

After a closer look, I think you are right. Most checks are not necessary in
TexSubImage2D(3D)Impl because they are already checked to be safe before it is
called. Except one place which is the
yoffset += num_rows;

There are two call sites of TexSubImage2DImpl, and none of them checks yoffset
against any "+" operations.

In PS#4, I removed all un-necessary checks. PTAL.

+    desired_size  = desired_size * (height - 1) + unpadded_row_size;
     if (!buffer->valid() || buffer->size() == 0) {
-      buffer->Reset(desired_size);
+      buffer->Reset(desired_size.ValueOrDefault(
+          std::numeric_limits<unsigned int>::max()));
       if (!buffer->valid()) {
         return;
       }
     }
 
     GLint num_rows = ComputeNumRowsThatFitInBuffer(
         buffer_padded_row_size, unpadded_row_size, buffer->size(), height);
     num_rows = std::min(num_rows, height);
     CopyRectToBuffer(
         source, num_rows, unpadded_row_size, pixels_padded_row_size,
         buffer->address(), buffer_padded_row_size);
     helper_->TexSubImage2D(
         target, level, xoffset, yoffset, width, num_rows, format, type,
         buffer->shm_id(), buffer->offset(), internal);
     buffer->Release();
-    yoffset += num_rows;
-    source += num_rows * pixels_padded_row_size;
+    base::CheckedNumeric<GLint> updated_yoffset = yoffset;
+    updated_yoffset += num_rows;
+    yoffset = updated_yoffset.ValueOrDefault(std::numeric_limits<int>::max());
+    base::CheckedNumeric<uint32_t> source_offset = pixels_padded_row_size;
+    source_offset *= num_rows;
+    source += source_offset.ValueOrDefault(
+        std::numeric_limits<uint32_t>::max());
     height -= num_rows;
   }
 }
 
 void GLES2Implementation::TexSubImage3DImpl(GLenum target,
                                             GLint level,
                                             GLint xoffset,
                                             GLint yoffset,
                                             GLsizei zoffset,
                                             GLsizei width,
                                             GLsizei height,
                                             GLsizei depth,
                                             GLenum format,
                                             GLenum type,
                                             uint32_t unpadded_row_size,
                                             const void* pixels,
                                             uint32_t pixels_padded_row_size,
                                             GLboolean internal,
                                             ScopedTransferBufferPtr* buffer,
                                             uint32_t buffer_padded_row_size) {
   DCHECK(buffer);
   DCHECK_GE(level, 0);
   DCHECK_GT(width, 0);
   DCHECK_GT(height, 0);
   DCHECK_GT(depth, 0);
   DCHECK_GE(xoffset, 0);
   DCHECK_GE(yoffset, 0);
   DCHECK_GE(zoffset, 0);
   const int8_t* source = reinterpret_cast<const int8_t*>(pixels);
-  GLsizei total_rows = height * depth;
+  base::CheckedNumeric<GLsizei> checked_total_rows = height;
+  checked_total_rows *= depth;
+  GLsizei total_rows = checked_total_rows.ValueOrDefault(
+      std::numeric_limits<int>::max());
   GLint row_index = 0, depth_index = 0;
   while (total_rows) {
     // Each time, we either copy one or more images, or copy one or more rows
     // within a single image, depending on the buffer size limit.
     GLsizei max_rows;
-    unsigned int desired_size;
+    base::CheckedNumeric<unsigned int> desired_size = buffer_padded_row_size;
     if (row_index > 0) {
       // We are in the middle of an image. Send the remaining of the image.
       max_rows = height - row_index;
       if (total_rows <= height) {
         // Last image, so last row is unpadded.
-        desired_size = buffer_padded_row_size * (max_rows - 1) +
-            unpadded_row_size;
+        desired_size = desired_size * (max_rows - 1) + unpadded_row_size;
       } else {
-        desired_size = buffer_padded_row_size * max_rows;
+        desired_size *= max_rows;
       }
     } else {
       // Send all the remaining data if possible.
       max_rows = total_rows;
-      desired_size =
-          buffer_padded_row_size * (max_rows - 1) + unpadded_row_size;
+      desired_size = desired_size * (max_rows - 1) + unpadded_row_size;
     }
     if (!buffer->valid() || buffer->size() == 0) {
-      buffer->Reset(desired_size);
+      buffer->Reset(desired_size.ValueOrDefault(
+          std::numeric_limits<unsigned int>::max()));
       if (!buffer->valid()) {
         return;
       }
     }
     GLint num_rows = ComputeNumRowsThatFitInBuffer(
         buffer_padded_row_size, unpadded_row_size, buffer->size(), total_rows);
     num_rows = std::min(num_rows, max_rows);
     GLint num_images = num_rows / height;
     GLsizei my_height, my_depth;
     if (num_images > 0) {
       num_rows = num_images * height;
       my_height = height;
       my_depth = num_images;
     } else {
       my_height = num_rows;
       my_depth = 1;
     }
 
     if (num_images > 0) {
       int8_t* buffer_pointer = reinterpret_cast<int8_t*>(buffer->address());
       uint32_t src_height =
           unpack_image_height_ > 0 ? unpack_image_height_ : height;
-      uint32_t image_size_dst = buffer_padded_row_size * height;
-      uint32_t image_size_src = pixels_padded_row_size * src_height;
+      base::CheckedNumeric<uint32_t> checked_image_size_dst
+          = buffer_padded_row_size;
+      checked_image_size_dst *= height;
+      uint32_t image_size_dst = checked_image_size_dst.ValueOrDefault(
+          std::numeric_limits<uint32_t>::max());
+      base::CheckedNumeric<uint32_t> checked_image_size_src
+          = pixels_padded_row_size;
+      checked_image_size_src *= src_height;
+      uint32_t image_size_src = checked_image_size_src.ValueOrDefault(
+          std::numeric_limits<uint32_t>::max());
       for (GLint ii = 0; ii < num_images; ++ii) {
         CopyRectToBuffer(
             source + ii * image_size_src, my_height, unpadded_row_size,
             pixels_padded_row_size, buffer_pointer + ii * image_size_dst,
             buffer_padded_row_size);
       }
     } else {
       CopyRectToBuffer(
           source, my_height, unpadded_row_size, pixels_padded_row_size,
           buffer->address(), buffer_padded_row_size);
@@ skipping 12 matching lines @@
         depth_index += num_images;
         num_image_paddings = num_images;
       } else {
         row_index = (row_index + my_height) % height;
         num_image_paddings = 0;
         if (my_height > 0 && row_index == 0) {
           depth_index++;
           num_image_paddings++;
         }
       }
-      source += num_rows * pixels_padded_row_size;
+      base::CheckedNumeric<uint32_t> source_offset = pixels_padded_row_size;
+      source_offset *= num_rows;
+      source += source_offset.ValueOrDefault(
+          std::numeric_limits<uint32_t>::max());
       if (unpack_image_height_ > height && num_image_paddings > 0) {
-        source += num_image_paddings * (unpack_image_height_ - height) *
-            pixels_padded_row_size;
+        source_offset = source_offset * num_image_paddings *
+            (unpack_image_height_ - height);
+        source += source_offset.ValueOrDefault(
+            std::numeric_limits<uint32_t>::max());
       }
     }
   }
 }
 
 bool GLES2Implementation::GetActiveAttribHelper(
     GLuint program, GLuint index, GLsizei bufsize, GLsizei* length, GLint* size,
     GLenum* type, char* name) {
   // Clear the bucket so if the command fails nothing will be in it.
   helper_->SetBucketSize(kResultBucketId, 0);
@@ skipping 3700 matching lines @@
   cached_extensions_.clear();
 }
 
 // Include the auto-generated part of this file. We split this because it means
 // we can easily edit the non-auto generated parts right here in this file
 // instead of having to edit some template or the code generator.
 #include "gpu/command_buffer/client/gles2_implementation_impl_autogen.h"
 
 }  // namespace gles2
 }  // namespace gpu