Harden gpu::SizedResult against overflow

Use CheckedNumerics to prevent silent uint32_t overflow. Bug: 905336, 905459 Change-Id: Ie518def9063143ef2393be566419a209f68f0dce Reviewed-on: https://chromium-review.googlesource.com/c/1336083Reviewed-by: Kenneth Russell <kbr@chromium.org> Reviewed-by: Abhishek Arya <inferno@chromium.org> Commit-Queue: Antoine Labour <piman@chromium.org> Cr-Commit-Position: refs/heads/master@{#608184}

Harden gpu::SizedResult against overflow
Use CheckedNumerics to prevent silent uint32_t overflow. Bug: 905336, 905459 Change-Id: Ie518def9063143ef2393be566419a209f68f0dce Reviewed-on: https://chromium-review.googlesource.com/c/1336083Reviewed-by: Kenneth Russell <kbr@chromium.org> Reviewed-by: Abhishek Arya <inferno@chromium.org> Commit-Queue: Antoine Labour <piman@chromium.org> Cr-Commit-Position: refs/heads/master@{#608184}
ae582206 · Antoine Labour · Commit Bot · f92523f1 · ae582206
Commit ae582206 authored Nov 15, 2018 by Antoine Labour Committed by Commit Bot Nov 15, 2018
Show whitespace changes
Inline Side-by-side

Showing with 22 additions and 8 deletions

gpu/command_buffer/common/common_cmd_format.h gpu/command_buffer/common/common_cmd_format.h +22 -8

No files found.
--- a/gpu/command_buffer/common/common_cmd_format.h
+++ b/gpu/command_buffer/common/common_cmd_format.h
@@ -12,6 +12,7 @@
 #include <string.h>

 #include "base/atomicops.h"
+#include "base/numerics/checked_math.h"
 #include "gpu/command_buffer/common/cmd_buffer_common.h"

 namespace gpu {
@@ -33,25 +34,38 @@ struct SizedResult {

  // Returns the total size in bytes of the SizedResult for a given number of
  // results including the size field.
-  static size_t ComputeSize(size_t num_results) {
-    return sizeof(T) * num_results + sizeof(uint32_t);  // NOLINT
+  static uint32_t ComputeSize(base::CheckedNumeric<uint32_t> num_results) {
+    base::CheckedNumeric<uint32_t> size = num_results;
+    size *= sizeof(T);
+    size += sizeof(uint32_t);
+    return size.ValueOrDie();
  }

  // Returns the maximum number of results for a given buffer size.
  static uint32_t ComputeMaxResults(size_t size_of_buffer) {
-    return (size_of_buffer >= sizeof(uint32_t))
-               ? ((size_of_buffer - sizeof(uint32_t)) / sizeof(T))
-               : 0;  // NOLINT
+    base::CheckedNumeric<uint32_t> max_results = 0;
+    if (size_of_buffer >= sizeof(uint32_t)) {
+      max_results = size_of_buffer;
+      max_results -= sizeof(uint32_t);
+      max_results /= sizeof(T);
+    }
+    return max_results.ValueOrDefault(0);
  }

  // Set the size for a given number of results.
-  void SetNumResults(size_t num_results) {
-    size = sizeof(T) * num_results;  // NOLINT
+  void SetNumResults(base::CheckedNumeric<uint32_t> num_results) {
+    base::CheckedNumeric<uint32_t> bytes = num_results;
+    bytes *= sizeof(T);
+    size = bytes.ValueOrDie();
  }

  // Get the number of elements in the result
  int32_t GetNumResults() const {
-    return size / sizeof(T);  // NOLINT
+    // TODO(piman): return uint32_t here to remove the need for checked
+    // numerics.
+    base::CheckedNumeric<uint32_t> num_results = size;
+    num_results /= sizeof(T);
+    return num_results.ValueOrDie<int32_t>();
  }

  // Copy the result.