Limit number of handles read in ServiceFontManager

This prevents resizing a vector to a fake and extremely large size. Bug: 942428 Change-Id: I020b9b3eb3516dfcfc65d4687ce4e3a5a0e3a9ad Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1526305 Auto-Submit: enne <enne@chromium.org> Reviewed-by: Khushal <khushalsagar@chromium.org> Reviewed-by: Antoine Labour <piman@chromium.org> Commit-Queue: Antoine Labour <piman@chromium.org> Cr-Commit-Position: refs/heads/master@{#642300}

Limit number of handles read in ServiceFontManager
This prevents resizing a vector to a fake and extremely large size. Bug: 942428 Change-Id: I020b9b3eb3516dfcfc65d4687ce4e3a5a0e3a9ad Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1526305 Auto-Submit: enne <enne@chromium.org> Reviewed-by: Khushal <khushalsagar@chromium.org> Reviewed-by: Antoine Labour <piman@chromium.org> Commit-Queue: Antoine Labour <piman@chromium.org> Cr-Commit-Position: refs/heads/master@{#642300}
33863486 · Adrienne Walker · Commit Bot · 9f29921c · 33863486
Commit 33863486 authored Mar 20, 2019 by Adrienne Walker Committed by Commit Bot Mar 20, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

gpu/command_buffer/service/service_font_manager.cc gpu/command_buffer/service/service_font_manager.cc +4 -0

No files found.
--- a/gpu/command_buffer/service/service_font_manager.cc
+++ b/gpu/command_buffer/service/service_font_manager.cc
@@ -166,6 +166,10 @@ bool ServiceFontManager::Deserialize(
  if (!deserializer.Read<uint32_t>(&num_locked_handles))
    return false;

+  // Loosely avoid extremely large (but fake) numbers of locked handles.
+  if (memory_size / sizeof(SkDiscardableHandleId) < num_locked_handles)
+    return false;
+
  locked_handles->resize(num_locked_handles);
  for (uint32_t i = 0; i < num_locked_handles; ++i) {
    if (!deserializer.Read<SkDiscardableHandleId>(&locked_handles->at(i)))