viz: Reject quad when rect is greater than INT_MAX.

In Display::RemoveOverdrawQuads we use the quad->rect area and quad->visible_rect area to influence occlusion culling and quad splitting. In some cases (as found by cluster_fuzz) the rect area does not fit into an int. We prevent these cases by validating the quad rects in mojom_traits. Test: VizSerializationPerfTest.DelegatedFrame_ManyQuads_1_4000 Bug: 1055766 Change-Id: Ia7686f5f9073f39f99b560df32d01efb0faa6903 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2078737Reviewed-by: Chris Palmer <palmer@chromium.org> Reviewed-by: Daniele Castagna <dcastagna@chromium.org> Reviewed-by: Andres Calderon Jaramillo <andrescj@chromium.org> Reviewed-by: Robert Kroeger <rjkroege@chromium.org> Commit-Queue: Sasha McIntosh <sashamcintosh@chromium.org> Cr-Commit-Position: refs/heads/master@{#747407}

viz: Reject quad when rect is greater than INT_MAX.
In Display::RemoveOverdrawQuads we use the quad->rect area and quad->visible_rect area to influence occlusion culling and quad splitting. In some cases (as found by cluster_fuzz) the rect area does not fit into an int. We prevent these cases by validating the quad rects in mojom_traits. Test: VizSerializationPerfTest.DelegatedFrame_ManyQuads_1_4000 Bug: 1055766 Change-Id: Ia7686f5f9073f39f99b560df32d01efb0faa6903 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2078737Reviewed-by: Chris Palmer <palmer@chromium.org> Reviewed-by: Daniele Castagna <dcastagna@chromium.org> Reviewed-by: Andres Calderon Jaramillo <andrescj@chromium.org> Reviewed-by: Robert Kroeger <rjkroege@chromium.org> Commit-Queue: Sasha McIntosh <sashamcintosh@chromium.org> Cr-Commit-Position: refs/heads/master@{#747407}
356303bc · Sasha McIntosh · Commit Bot · df820875 · 356303bc · 356303bc
Commit 356303bc authored Mar 05, 2020 by Sasha McIntosh Committed by Commit Bot Mar 05, 2020
3 changed files
--- a/services/viz/public/cpp/compositing/mojom_traits_perftest.cc
+++ b/services/viz/public/cpp/compositing/mojom_traits_perftest.cc
@@ -140,7 +140,7 @@ class VizSerializationPerfTest : public testing::Test {
  }

  static void RunComplexCompositorFrameTest(const std::string& story) {
-    CompositorFrame frame;
+    CompositorFrame frame = MakeEmptyCompositorFrame();
    frame.metadata.begin_frame_ack = BeginFrameAck(0, 1, true);

    std::vector<TransferableResource>& resource_list = frame.resource_list;

--- a/services/viz/public/cpp/compositing/mojom_traits_unittest.cc
+++ b/services/viz/public/cpp/compositing/mojom_traits_unittest.cc
@@ -923,7 +923,7 @@ TEST_F(StructTraitsTest, QuadListBasic) {
      sqs, rect3, rect3, SurfaceRange(fallback_surface_id, primary_surface_id),
      SK_ColorBLUE, false);

-  const gfx::Rect rect4(1234, 5678, 9101112, 13141516);
+  const gfx::Rect rect4(1234, 5678, 91012, 13141);
  const bool needs_blending = true;
  const ResourceId resource_id4(1337);
  const RenderPassId render_pass_id = 1234u;
@@ -943,7 +943,7 @@ TEST_F(StructTraitsTest, QuadListBasic) {
                           force_anti_aliasing_off, backdrop_filter_quality,
                           can_use_backdrop_filter_cache);

-  const gfx::Rect rect5(123, 567, 91011, 131415);
+  const gfx::Rect rect5(123, 567, 91011, 13141);
  const ResourceId resource_id5(1337);
  const float vertex_opacity[4] = {1.f, 2.f, 3.f, 4.f};
  const bool premultiplied_alpha = true;

--- a/services/viz/public/cpp/compositing/quads_mojom_traits.cc
+++ b/services/viz/public/cpp/compositing/quads_mojom_traits.cc
@@ -227,6 +227,12 @@ bool StructTraits<viz::mojom::DrawQuadDataView, viz::DrawQuad>::Read(
  if (!data.ReadRect(&out->rect) || !data.ReadVisibleRect(&out->visible_rect)) {
    return false;
  }
+  // Reject quads with areas larger than int32.
+  if (!out->rect.size().GetCheckedArea().IsValid())
+    return false;
+  if (!out->rect.Contains(out->visible_rect))
+    return false;
+
  out->needs_blending = data.needs_blending();
  return data.ReadDrawQuadState(out);
 }