Skip to content

GitLab

T
tangled
Commit 9c66e77a authored by Ria Jiang's avatar Ria Jiang Committed by Commit Bot
Browse files
Options

Crash gpu process if HitTestQuery received invalid active region index. 

Bug: 746470
Cq-Include-Trybots: luci.chromium.try:android_optional_gpu_tests_rel
Change-Id: I474adb47645eb2de52fe4ce368b8baf390d3f574
Reviewed-on: https://chromium-review.googlesource.com/1036102Reviewed-by: default avatarRobert Kroeger <rjkroege@chromium.org>
Commit-Queue: Ria Jiang <riajiang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#554890}
parent 0ee54118
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 7 deletions
components/viz/host/hit_test/hit_test_query.cc
View file @ 9c66e77a
...@@ -51,7 +51,10 @@ void HitTestQuery::OnAggregatedHitTestRegionListUpdated( ...@@ -51,7 +51,10 @@ void HitTestQuery::OnAggregatedHitTestRegionListUpdated(
void HitTestQuery::SwitchActiveAggregatedHitTestRegionList( void HitTestQuery::SwitchActiveAggregatedHitTestRegionList(
uint8_t active_handle_index) { uint8_t active_handle_index) {
DCHECK(active_handle_index == 0u || active_handle_index == 1u); if (active_handle_index != 0u && active_handle_index != 1u) {
ReceivedBadMessageFromGpuProcess();
return;
}
active_hit_test_list_ = static_cast<AggregatedHitTestRegion*>( active_hit_test_list_ = static_cast<AggregatedHitTestRegion*>(
handle_buffers_[active_handle_index].get()); handle_buffers_[active_handle_index].get());
active_hit_test_list_size_ = handle_buffer_sizes_[active_handle_index]; active_hit_test_list_size_ = handle_buffer_sizes_[active_handle_index];
......
components/viz/host/host_frame_sink_manager.cc
View file @ 9c66e77a
...@@ -436,12 +436,6 @@ void HostFrameSinkManager::SwitchActiveAggregatedHitTestRegionList( ...@@ -436,12 +436,6 @@ void HostFrameSinkManager::SwitchActiveAggregatedHitTestRegionList(
// in-flight hit-test data. // in-flight hit-test data.
if (iter == display_hit_test_query_.end()) if (iter == display_hit_test_query_.end())
return; return;
if (active_handle_index != 0u && active_handle_index != 1u) {
// TODO(riajiang): Report security fault. http://crbug.com/746470
NOTREACHED();
return;
}
iter->second->SwitchActiveAggregatedHitTestRegionList(active_handle_index); iter->second->SwitchActiveAggregatedHitTestRegionList(active_handle_index);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment