Skip to content

GitLab

T
tangled
Commit c6ac5cd1 authored by Madeleine Barowsky's avatar Madeleine Barowsky Committed by Commit Bot
Browse files
Options

Add value-checking and initialization in Deserialize and assume 3 planes 

Attempted fixes for fuzzer bugs.

Bug: 985995,986029,986007,987476
Change-Id: I3da85945fd722224da9c027f71944c97c823e8db
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1718993
Commit-Queue: Madeleine Barowsky <mbarowsky@chromium.org>
Reviewed-by: default avatarenne <enne@chromium.org>
Cr-Commit-Position: refs/heads/master@{#683250}
parent f408a9b5
Hide whitespace changes
Inline Side-by-side
Showing with 7 additions and 7 deletions
cc/paint/image_transfer_cache_entry.cc
View file @ c6ac5cd1
...@@ -376,14 +376,14 @@ bool ServiceImageTransferCacheEntry::Deserialize( ...@@ -376,14 +376,14 @@ bool ServiceImageTransferCacheEntry::Deserialize(
PaintOp::DeserializeOptions options(nullptr, nullptr, nullptr, PaintOp::DeserializeOptions options(nullptr, nullptr, nullptr,
&scratch_buffer); &scratch_buffer);
PaintOpReader reader(data.data(), data.size(), options); PaintOpReader reader(data.data(), data.size(), options);
uint32_t image_is_yuv; uint32_t image_is_yuv = 0;
reader.Read(&image_is_yuv); reader.Read(&image_is_yuv);
if (!!image_is_yuv) { if (!!image_is_yuv) {
uint32_t num_planes; uint32_t num_planes = 0;
reader.Read(&num_planes); reader.Read(&num_planes);
// YUV or YUVA // TODO(crbug.com/910276): Allow for four planes if YUVA.
// TODO(crbug.com/986575): consider serializing a YUVDecodeFormat. // TODO(crbug.com/986575): consider serializing a YUVDecodeFormat.
if (num_planes != 3u && num_planes != 4u) if (num_planes != 3u)
return false; return false;
plane_images_format_ = plane_images_format_ =
num_planes == 3u ? YUVDecodeFormat::kYUV3 : YUVDecodeFormat::kYUVA4; num_planes == 3u ? YUVDecodeFormat::kYUV3 : YUVDecodeFormat::kYUVA4;
...@@ -400,9 +400,9 @@ bool ServiceImageTransferCacheEntry::Deserialize( ...@@ -400,9 +400,9 @@ bool ServiceImageTransferCacheEntry::Deserialize(
auto gr_mips = has_mips_ ? GrMipMapped::kYes : GrMipMapped::kNo; auto gr_mips = has_mips_ ? GrMipMapped::kYes : GrMipMapped::kNo;
// Read in each plane and reconstruct pixmaps. // Read in each plane and reconstruct pixmaps.
for (uint32_t i = 0; i < num_planes; i++) { for (uint32_t i = 0; i < num_planes; i++) {
uint32_t plane_width; uint32_t plane_width = 0;
reader.Read(&plane_width); reader.Read(&plane_width);
uint32_t plane_height; uint32_t plane_height = 0;
reader.Read(&plane_height); reader.Read(&plane_height);
// Because Skia does not support YUV rasterization from software planes, // Because Skia does not support YUV rasterization from software planes,
// we require that each pixmap fits in a GPU texture. In the // we require that each pixmap fits in a GPU texture. In the
...@@ -412,7 +412,7 @@ bool ServiceImageTransferCacheEntry::Deserialize( ...@@ -412,7 +412,7 @@ bool ServiceImageTransferCacheEntry::Deserialize(
// We compute this for each plane in case a malicious renderer tries to // We compute this for each plane in case a malicious renderer tries to
// send very large U or V planes. // send very large U or V planes.
fits_on_gpu_ = plane_width <= max_size && plane_height <= max_size; fits_on_gpu_ = plane_width <= max_size && plane_height <= max_size;
if (!fits_on_gpu_) if (!fits_on_gpu_ || plane_width == 0 || plane_height == 0)
return false; return false;
size_t plane_bytes; size_t plane_bytes;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment