media: VideoFrame: add offset for shared memory buffers

content/common/gpu/gpu_messages.h

Index: content/common/gpu/gpu_messages.h
diff --git a/content/common/gpu/gpu_messages.h b/content/common/gpu/gpu_messages.h
index 09bc8774ea0d42e9d744ba085eeadb0153850e20..33ed3270033410672b75aadc12d6e9b747169cdb 100644
--- a/content/common/gpu/gpu_messages.h
+++ b/content/common/gpu/gpu_messages.h
@@ -709,9 +709,10 @@ IPC_MESSAGE_ROUTED1(AcceleratedVideoDecoderHostMsg_ErrorNotification,
 
 // Queue a input buffer to the encoder to encode. |frame_id| will be returned by
 // AcceleratedVideoEncoderHostMsg_NotifyInputDone.
-IPC_MESSAGE_ROUTED4(AcceleratedVideoEncoderMsg_Encode,
+IPC_MESSAGE_ROUTED5(AcceleratedVideoEncoderMsg_Encode,
                     int32 /* frame_id */,
                     base::SharedMemoryHandle /* buffer_handle */,
+                    uint32 /* buffer_offset */,

[DaleCurtis, 2015/01/30 18:44:59]

This seems dangerous...

[llandwerlin-old, 2015/01/31 22:42:53]

Can you explain why you think this could be dangerous?
I believe that wrong memory mapping parameters would just lead the mmap
operation to fail (for example with a buffer offset outside the buffer's limit).

[DaleCurtis, 2015/02/02 19:24:18]

An attacker controls both the buffer_offset and buffer_size in this case, which
without careful consideration on the endpoint may lead to issues.

                     uint32 /* buffer_size */,
                     bool /* force_keyframe */)