diff options
Diffstat (limited to 'chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc')
-rw-r--r-- | chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc b/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc index 579cd3cbdfc..a15b6f9b3b3 100644 --- a/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc +++ b/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc @@ -30,8 +30,13 @@ class ReadHandleImpl size_t offset, size_t size, void* serializePointer) override { - DCHECK_LE(offset, size_); - DCHECK_LE(size, size_ - offset); + // TODO(crbug.com/1373314): A compromised renderer could have a shared + // memory size not large enough to fit the GPU buffer contents. Instead of + // DCHECK, do a CHECK here to crash the release build. The crash is fine + // since it is not reachable from normal behavior. WebGPU post-V1 will have + // a refactored API. + CHECK_LE(offset, size_); + CHECK_LE(size, size_ - offset); // Copy the data into the shared memory allocation. // In the case of buffer mapping, this is the mapped GPU memory which we // copy into client-visible shared memory. @@ -94,7 +99,10 @@ bool DawnServiceMemoryTransferService::DeserializeReadHandle( size_t deserialize_size, ReadHandle** read_handle) { DCHECK(deserialize_pointer); - DCHECK_EQ(deserialize_size, sizeof(MemoryTransferHandle)); + // Use CHECK instead of DCHECK because the cast of the memory to + // MemoryTransferHandle and subsequent reads won't be safe if deserialize_size + // is too small. + CHECK_EQ(deserialize_size, sizeof(MemoryTransferHandle)); const volatile MemoryTransferHandle* handle = reinterpret_cast<const volatile MemoryTransferHandle*>( deserialize_pointer); @@ -119,7 +127,10 @@ bool DawnServiceMemoryTransferService::DeserializeWriteHandle( size_t deserialize_size, WriteHandle** write_handle) { DCHECK(deserialize_pointer); - DCHECK_EQ(deserialize_size, sizeof(MemoryTransferHandle)); + // Use CHECK instead of DCHECK because the cast of the memory to + // MemoryTransferHandle and subsequent reads won't be safe if deserialize_size + // is too small. + CHECK_EQ(deserialize_size, sizeof(MemoryTransferHandle)); const volatile MemoryTransferHandle* handle = reinterpret_cast<const volatile MemoryTransferHandle*>( deserialize_pointer); |