Use real colorspace for DirectComposition overlays.

gpu/command_buffer/service/gles2_cmd_decoder.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "gpu/command_buffer/service/gles2_cmd_decoder.h"
 
 #include <limits.h>
 #include <stddef.h>
 #include <stdint.h>
 #include <stdio.h>
@@ skipping 12078 matching lines @@
   }
 
   GLsizei num_textures = c.num_textures;
   if (num_textures < 0 || num_textures > 4) {
     LOCAL_SET_GL_ERROR(GL_INVALID_OPERATION, "glScheduleDCLayerCHROMIUM",
                        "number of textures greater than maximum of 4");
     return error::kNoError;
   }
 
   size_t textures_size = num_textures * sizeof(GLuint);
+  GLsizei color_space_size = c.color_space_size;
 
   base::CheckedNumeric<uint32_t> data_size = textures_size;
   const uint32_t kRectDataSize = 8 * sizeof(GLfloat);
   data_size += kRectDataSize;
+  data_size += color_space_size;
   if (!data_size.IsValid())
     return error::kOutOfBounds;
   const void* data =
       GetAddressAndCheckSize(c.shm_id, c.shm_offset, data_size.ValueOrDie());
   if (!data) {
     return error::kOutOfBounds;
   }
   const GLfloat* mem = reinterpret_cast<const GLfloat*>(data);
 
   gfx::RectF contents_rect(mem[0], mem[1], mem[2], mem[3]);
@@ skipping 18 matching lines @@
                                             &image_state);
       if (!image) {
         LOCAL_SET_GL_ERROR(GL_INVALID_VALUE, "glScheduleDCLayerCHROMIUM",
                            "unsupported texture format");
         return error::kNoError;
       }
     }
     images.push_back(image);
   }
 
+  volatile const char* volatile_color_space_data =
+      reinterpret_cast<volatile const char*>(data) + kRectDataSize +
+      textures_size;
+
+  // Make a copy to reduce the risk of a time of check to time of use attack.
+  std::vector<char> color_space_data(
+      volatile_color_space_data, volatile_color_space_data + color_space_size);
+  base::Pickle color_space_pickle(color_space_data.data(), color_space_size);
+  base::PickleIterator iterator(color_space_pickle);
+  gfx::ColorSpace color_space;
+  if (!color_space.ReadFromPickle(&iterator))
+    return error::kOutOfBounds;
+
   ui::DCRendererLayerParams params = ui::DCRendererLayerParams(
       dc_layer_shared_state_->is_clipped, dc_layer_shared_state_->clip_rect,
       dc_layer_shared_state_->z_order, dc_layer_shared_state_->transform,
       images, contents_rect, gfx::ToEnclosingRect(bounds_rect),
       c.background_color, c.edge_aa_mask, dc_layer_shared_state_->opacity,
-      filter);
+      filter, color_space);
   if (!surface_->ScheduleDCLayer(params)) {
     LOCAL_SET_GL_ERROR(GL_INVALID_OPERATION, "glScheduleDCLayerCHROMIUM",
                        "failed to schedule DCLayer");
   }
   return error::kNoError;
 }
 
 void GLES2DecoderImpl::DoScheduleCALayerInUseQueryCHROMIUM(
     GLsizei count,
     const volatile GLuint* textures) {
@@ skipping 7483 matching lines @@
 }
 
 // Include the auto-generated part of this file. We split this because it means
 // we can easily edit the non-auto generated parts right here in this file
 // instead of having to edit some template or the code generator.
 #include "base/macros.h"
 #include "gpu/command_buffer/service/gles2_cmd_decoder_autogen.h"
 
 }  // namespace gles2
 }  // namespace gpu