Address potential incorrect memory request due to truncated int

ClusterFuzz found an issue in RasterDecoderImpl::DoReadbackImagePixelsINTERNAL. When |row_bytes| is very large, SkImageInfo::computeByteSize() can return a 64bit integer larger than UINT32_MAX. Since GetSharedMemoryAs() takes a 32bit integer for |size|, the int is truncated, resulting in an incorrect value. This change ensures that the result of computeByteSize() is < UINT32_MAX. This change also addresses the same potential case in RasterDecoderImpl::DoWritePixelsINTERNAL. Bug: 1114500 Change-Id: I5cd3acfaac788e97353e0da866b63f694e326e2a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2353402Reviewed-by: Khushal <khushalsagar@chromium.org> Commit-Queue: Jonah Chin <jochin@microsoft.com> Cr-Commit-Position: refs/heads/master@{#797842}

Address potential incorrect memory request due to truncated int
ClusterFuzz found an issue in RasterDecoderImpl::DoReadbackImagePixelsINTERNAL. When |row_bytes| is very large, SkImageInfo::computeByteSize() can return a 64bit integer larger than UINT32_MAX. Since GetSharedMemoryAs() takes a 32bit integer for |size|, the int is truncated, resulting in an incorrect value. This change ensures that the result of computeByteSize() is < UINT32_MAX. This change also addresses the same potential case in RasterDecoderImpl::DoWritePixelsINTERNAL. Bug: 1114500 Change-Id: I5cd3acfaac788e97353e0da866b63f694e326e2a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2353402Reviewed-by: Khushal <khushalsagar@chromium.org> Commit-Queue: Jonah Chin <jochin@microsoft.com> Cr-Commit-Position: refs/heads/master@{#797842}
76a78002 · Jonah Chin · Commit Bot · 8680f051 · 76a78002
Commit 76a78002 authored Aug 13, 2020 by Jonah Chin Committed by Commit Bot Aug 13, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 5 deletions

gpu/command_buffer/service/raster_decoder.cc gpu/command_buffer/service/raster_decoder.cc +22 -5

No files found.
--- a/gpu/command_buffer/service/raster_decoder.cc
+++ b/gpu/command_buffer/service/raster_decoder.cc
@@ -2436,9 +2436,17 @@ void RasterDecoderImpl::DoWritePixelsINTERNAL(GLint x_offset,
    }
  }

+  size_t byte_size = src_info.computeByteSize(row_bytes);
+  if (byte_size > UINT32_MAX) {
+    LOCAL_SET_GL_ERROR(
+        GL_INVALID_VALUE, "glWritePixels",
+        "Cannot request a memory chunk larger than UINT32_MAX bytes");
+    return;
+  }
+
  // The pixels are stored after the serialized SkColorSpace + padding
-  void* pixel_data = GetSharedMemoryAs<void*>(
-      shm_id, shm_offset + pixels_offset, src_info.computeByteSize(row_bytes));
+  void* pixel_data =
+      GetSharedMemoryAs<void*>(shm_id, shm_offset + pixels_offset, byte_size);
  if (!pixel_data) {
    LOCAL_SET_GL_ERROR(GL_INVALID_OPERATION, "glWritePixels",
                       "Couldn't retrieve pixel data.");
@@ -2553,15 +2561,24 @@ void RasterDecoderImpl::DoReadbackImagePixelsINTERNAL(
    return;
  }

-  void* shm_address = GetSharedMemoryAs<void*>(
-      shm_id, shm_offset + pixels_offset, dst_info.computeByteSize(row_bytes));
+  size_t byte_size = dst_info.computeByteSize(row_bytes);
+  if (byte_size > UINT32_MAX) {
+    LOCAL_SET_GL_ERROR(
+        GL_INVALID_VALUE, "glReadbackImagePixels",
+        "Cannot request a memory chunk larger than UINT32_MAX bytes");
+    return;
+  }
+
+  void* shm_address =
+      GetSharedMemoryAs<void*>(shm_id, shm_offset + pixels_offset, byte_size);
  if (!shm_address) {
    LOCAL_SET_GL_ERROR(GL_INVALID_OPERATION, "glReadbackImagePixels",
                       "Failed to retrieve memory for readPixels");
    return;
  }

-  bool success = sk_image->readPixels(dst_info, shm_address, row_bytes, 0, 0);
+  bool success =
+      sk_image->readPixels(dst_info, shm_address, row_bytes, src_x, src_y);
  if (!success) {
    LOCAL_SET_GL_ERROR(GL_INVALID_OPERATION, "glReadbackImagePixels",
                       "Failed to read pixels from SkImage");