media: Prevent int overflow during GMB allocation.

This CL modifies the helper function AllocateGpuMemoryBufferHandle() to prevent an int overflows when getting the ID of the next GpuMemoryBuffer to be allocated. If we are about to overflow, we just crash the GPU process. This is not the ideal situation, but I don't expect it to happen often. There are other solutions but they would be more intrusive. Bug: 1092283 Test: video.Play.h264 on eve Change-Id: Iba28a996837b5d37ab42c14e457c6e1d54b6b3cc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2238870Reviewed-by: Hirokazu Honda <hiroh@chromium.org> Commit-Queue: Andres Calderon Jaramillo <andrescj@chromium.org> Cr-Commit-Position: refs/heads/master@{#777031}

media: Prevent int overflow during GMB allocation.
This CL modifies the helper function AllocateGpuMemoryBufferHandle() to prevent an int overflows when getting the ID of the next GpuMemoryBuffer to be allocated. If we are about to overflow, we just crash the GPU process. This is not the ideal situation, but I don't expect it to happen often. There are other solutions but they would be more intrusive. Bug: 1092283 Test: video.Play.h264 on eve Change-Id: Iba28a996837b5d37ab42c14e457c6e1d54b6b3cc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2238870Reviewed-by: Hirokazu Honda <hiroh@chromium.org> Commit-Queue: Andres Calderon Jaramillo <andrescj@chromium.org> Cr-Commit-Position: refs/heads/master@{#777031}
ef9c8ce2 · Andres Calderon Jaramillo · Commit Bot · c0fb3e7f · ef9c8ce2
Commit ef9c8ce2 authored Jun 10, 2020 by Andres Calderon Jaramillo Committed by Commit Bot Jun 10, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 4 deletions

media/gpu/chromeos/platform_video_frame_utils.cc media/gpu/chromeos/platform_video_frame_utils.cc +15 -4

No files found.
--- a/media/gpu/chromeos/platform_video_frame_utils.cc
+++ b/media/gpu/chromeos/platform_video_frame_utils.cc
@@ -4,12 +4,15 @@

 #include "media/gpu/chromeos/platform_video_frame_utils.h"

-#include "base/atomic_sequence_num.h"
+#include <limits>
+
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback_helpers.h"
 #include "base/files/scoped_file.h"
+#include "base/no_destructor.h"
 #include "base/posix/eintr_wrapper.h"
+#include "base/synchronization/lock.h"
 #include "gpu/ipc/common/gpu_client_ids.h"
 #include "gpu/ipc/common/gpu_memory_buffer_support.h"
 #include "gpu/ipc/service/gpu_memory_buffer_factory.h"
@@ -37,11 +40,19 @@ gfx::GpuMemoryBufferHandle AllocateGpuMemoryBufferHandle(
  if (!buffer_format)
    return gmb_handle;

-  static base::AtomicSequenceNumber buffer_id_generator;
+  int gpu_memory_buffer_id;
+  {
+    static base::NoDestructor<base::Lock> id_lock;
+    static int next_gpu_memory_buffer_id = 0;
+    base::AutoLock lock(*id_lock);
+    CHECK_LT(next_gpu_memory_buffer_id, std::numeric_limits<int>::max());
+    gpu_memory_buffer_id = next_gpu_memory_buffer_id++;
+  }
+
  // TODO(hiroh): Rename the client id to more generic one.
  gmb_handle = factory->CreateGpuMemoryBuffer(
-      gfx::GpuMemoryBufferId(buffer_id_generator.GetNext()), coded_size,
-      *buffer_format, buffer_usage, gpu::kPlatformVideoFramePoolClientId,
+      gfx::GpuMemoryBufferId(gpu_memory_buffer_id), coded_size, *buffer_format,
+      buffer_usage, gpu::kPlatformVideoFramePoolClientId,
      gfx::kNullAcceleratedWidget);
  DCHECK(gmb_handle.is_null() || gmb_handle.type != gfx::NATIVE_PIXMAP ||
         VideoFrame::NumPlanes(pixel_format) ==