Fix Mac Giant Surface Fuzzer Crash

TestRunnerBindings::SetBackingScaleFactor allows our test suites to simulate device scale factor changes. Currently it caps the scale factor at 100x, based on previous crashes seen in https://crbug.com/899482 However we hit similar crashes for lower scale factors when working with larger initial sizes. In this fuzz case 800x600 size, but a scale request of 1x10^17. There are a few different potential crashes as a result: - 100x = gfx::Size::GetCheckedArea overflows int (80000x60000) - 50x = GLES2DecoderImpl::TexStorageImpl fails with "dimensions out of range" - 20x = GL ERROR :GL_OUT_OF_MEMORY - 19x = no error I've elected to go with 15x. However there is nothing explicit in this API to prevent similar crashes when using larger sized surfaces. No displays currently use scale factors this large, so there is no issue to be concerned of in production. Bug: 900271 Change-Id: Icd0f75813b07f98bc51c56535000f2513cbceaa1 Reviewed-on: https://chromium-review.googlesource.com/c/1352612Reviewed-by: Pavel Feldman <pfeldman@chromium.org> Commit-Queue: Jonathan Ross <jonross@chromium.org> Cr-Commit-Position: refs/heads/master@{#611892}

Fix Mac Giant Surface Fuzzer Crash
TestRunnerBindings::SetBackingScaleFactor allows our test suites to simulate device scale factor changes. Currently it caps the scale factor at 100x, based on previous crashes seen in https://crbug.com/899482 However we hit similar crashes for lower scale factors when working with larger initial sizes. In this fuzz case 800x600 size, but a scale request of 1x10^17. There are a few different potential crashes as a result: - 100x = gfx::Size::GetCheckedArea overflows int (80000x60000) - 50x = GLES2DecoderImpl::TexStorageImpl fails with "dimensions out of range" - 20x = GL ERROR :GL_OUT_OF_MEMORY - 19x = no error I've elected to go with 15x. However there is nothing explicit in this API to prevent similar crashes when using larger sized surfaces. No displays currently use scale factors this large, so there is no issue to be concerned of in production. Bug: 900271 Change-Id: Icd0f75813b07f98bc51c56535000f2513cbceaa1 Reviewed-on: https://chromium-review.googlesource.com/c/1352612Reviewed-by: Pavel Feldman <pfeldman@chromium.org> Commit-Queue: Jonathan Ross <jonross@chromium.org> Cr-Commit-Position: refs/heads/master@{#611892}
ae938e03 · Jonathan Ross · Commit Bot · 4b5d0ed3 · ae938e03
Commit ae938e03 authored Nov 28, 2018 by Jonathan Ross Committed by Commit Bot Nov 28, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

content/shell/test_runner/test_runner.cc content/shell/test_runner/test_runner.cc +6 -3

No files found.
--- a/content/shell/test_runner/test_runner.cc
+++ b/content/shell/test_runner/test_runner.cc
@@ -1224,10 +1224,13 @@ std::string TestRunnerBindings::PathToLocalResource(const std::string& path) {
 void TestRunnerBindings::SetBackingScaleFactor(
    double value,
    v8::Local<v8::Function> callback) {
-  // Limit backing scale factor to something "reasonable" - 100x. Without
+  // Limit backing scale factor to something low - 15x. Without
  // this limit, arbitrarily large values can be used, which can lead to
-  // crashes and other problems: See https://crbug.com/899482.
-  double limited_value = fmin(100.0, value);
+  // crashes and other problems. Examples of problems: gfx::Size::GetCheckedArea
+  // crashes with a size which overflows int; GLES2DecoderImpl::TexStorageImpl
+  // fails with "dimensions out of range"; GL ERROR :GL_OUT_OF_MEMORY.
+  // See https://crbug.com/899482 or https://crbug.com/900271
+  double limited_value = fmin(15, value);
  if (view_runner_)
    view_runner_->SetBackingScaleFactor(limited_value, callback);
 }