Fix heap overflow in VideoFrameYUVConverter

Currently with some texture sizes GLES2Util::ComputeImageDataSizesES3 will attempt to add row padding when calculating the size of a VideoFrame plane. This is because it's currently assumed that each row aligns on a 4 byte boundary based on GL_UNPACK_ALIGNMENT but VideoFrames make no such guarantee as they may be densely packed. This CL removes the GL_UNPACK_ALIGNMENT assumption so that we only use the VideoFrame's stride when calculating padding. Bug: 1166504, 1161131 Change-Id: I2484f5dfd2ad85b088fee57758776a5c9bd01d95 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2642765Reviewed-by: Vasiliy Telezhnikov <vasilyt@chromium.org> Commit-Queue: Nathan Zabriskie <nazabris@microsoft.com> Cr-Commit-Position: refs/heads/master@{#846298}

Fix heap overflow in VideoFrameYUVConverter
Currently with some texture sizes GLES2Util::ComputeImageDataSizesES3 will attempt to add row padding when calculating the size of a VideoFrame plane. This is because it's currently assumed that each row aligns on a 4 byte boundary based on GL_UNPACK_ALIGNMENT but VideoFrames make no such guarantee as they may be densely packed. This CL removes the GL_UNPACK_ALIGNMENT assumption so that we only use the VideoFrame's stride when calculating padding. Bug: 1166504, 1161131 Change-Id: I2484f5dfd2ad85b088fee57758776a5c9bd01d95 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2642765Reviewed-by: Vasiliy Telezhnikov <vasilyt@chromium.org> Commit-Queue: Nathan Zabriskie <nazabris@microsoft.com> Cr-Commit-Position: refs/heads/master@{#846298}
7de5d0ec · Nathan Zabriskie · Chromium LUCI CQ · 242fb257 · 7de5d0ec · 7de5d0ec
Commit 7de5d0ec authored Jan 22, 2021 by Nathan Zabriskie Committed by Chromium LUCI CQ Jan 22, 2021
Showing with 7 additions and 2 deletions

gpu/command_buffer/client/gles2_implementation.cc gpu/command_buffer/client/gles2_implementation.cc +3 -2

gpu/command_buffer/client/raster_implementation_gles.cc gpu/command_buffer/client/raster_implementation_gles.cc +4 -0

No files found.
--- a/gpu/command_buffer/client/gles2_implementation.cc
+++ b/gpu/command_buffer/client/gles2_implementation.cc
@@ -880,7 +880,9 @@ bool GLES2Implementation::GetHelper(GLenum pname, GLint* params) {
    case GL_GPU_DISJOINT_EXT:
      *params = static_cast<GLint>(query_tracker_->CheckAndResetDisjoint());
      return true;
-
+    case GL_UNPACK_ALIGNMENT:
+      *params = unpack_alignment_;
+      return true;
    case GL_VIEWPORT:
      if (state_.viewport_width > 0 && state_.viewport_height > 0 &&
          capabilities_.max_viewport_width > 0 &&
@@ -962,7 +964,6 @@ bool GLES2Implementation::GetHelper(GLenum pname, GLint* params) {
    case GL_STENCIL_VALUE_MASK:
    case GL_STENCIL_WRITEMASK:
    case GL_SUBPIXEL_BITS:
-    case GL_UNPACK_ALIGNMENT:
      return false;
    default:
      break;

--- a/gpu/command_buffer/client/raster_implementation_gles.cc
+++ b/gpu/command_buffer/client/raster_implementation_gles.cc
@@ -178,6 +178,9 @@ void RasterImplementationGLES::WritePixels(const gpu::Mailbox& dest_mailbox,
  BeginSharedImageAccessDirectCHROMIUM(
      texture_id, GL_SHARED_IMAGE_ACCESS_MODE_READWRITE_CHROMIUM);

+  GLint old_align = 0;
+  gl_->GetIntegerv(GL_UNPACK_ALIGNMENT, &old_align);
+  gl_->PixelStorei(GL_UNPACK_ALIGNMENT, 1);
  gl_->PixelStorei(GL_UNPACK_ROW_LENGTH, row_bytes / src_info.bytesPerPixel());
  gl_->BindTexture(texture_target, texture_id);
  gl_->TexSubImage2D(texture_target, 0, dst_x_offset, dst_y_offset,
@@ -186,6 +189,7 @@ void RasterImplementationGLES::WritePixels(const gpu::Mailbox& dest_mailbox,
                     SkColorTypeToGLDataType(src_info.colorType()), src_pixels);
  gl_->BindTexture(texture_target, 0);
  gl_->PixelStorei(GL_UNPACK_ROW_LENGTH, 0);
+  gl_->PixelStorei(GL_UNPACK_ALIGNMENT, old_align);

  EndSharedImageAccessDirectCHROMIUM(texture_id);
  DeleteGpuRasterTexture(texture_id);