summaryrefslogtreecommitdiff
path: root/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc')
-rw-r--r--chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc19
1 files changed, 15 insertions, 4 deletions
diff --git a/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc b/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc
index 579cd3cbdfc..a15b6f9b3b3 100644
--- a/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc
+++ b/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc
@@ -30,8 +30,13 @@ class ReadHandleImpl
size_t offset,
size_t size,
void* serializePointer) override {
- DCHECK_LE(offset, size_);
- DCHECK_LE(size, size_ - offset);
+ // TODO(crbug.com/1373314): A compromised renderer could have a shared
+ // memory size not large enough to fit the GPU buffer contents. Instead of
+ // DCHECK, do a CHECK here to crash the release build. The crash is fine
+ // since it is not reachable from normal behavior. WebGPU post-V1 will have
+ // a refactored API.
+ CHECK_LE(offset, size_);
+ CHECK_LE(size, size_ - offset);
// Copy the data into the shared memory allocation.
// In the case of buffer mapping, this is the mapped GPU memory which we
// copy into client-visible shared memory.
@@ -94,7 +99,10 @@ bool DawnServiceMemoryTransferService::DeserializeReadHandle(
size_t deserialize_size,
ReadHandle** read_handle) {
DCHECK(deserialize_pointer);
- DCHECK_EQ(deserialize_size, sizeof(MemoryTransferHandle));
+ // Use CHECK instead of DCHECK because the cast of the memory to
+ // MemoryTransferHandle and subsequent reads won't be safe if deserialize_size
+ // is too small.
+ CHECK_EQ(deserialize_size, sizeof(MemoryTransferHandle));
const volatile MemoryTransferHandle* handle =
reinterpret_cast<const volatile MemoryTransferHandle*>(
deserialize_pointer);
@@ -119,7 +127,10 @@ bool DawnServiceMemoryTransferService::DeserializeWriteHandle(
size_t deserialize_size,
WriteHandle** write_handle) {
DCHECK(deserialize_pointer);
- DCHECK_EQ(deserialize_size, sizeof(MemoryTransferHandle));
+ // Use CHECK instead of DCHECK because the cast of the memory to
+ // MemoryTransferHandle and subsequent reads won't be safe if deserialize_size
+ // is too small.
+ CHECK_EQ(deserialize_size, sizeof(MemoryTransferHandle));
const volatile MemoryTransferHandle* handle =
reinterpret_cast<const volatile MemoryTransferHandle*>(
deserialize_pointer);
View Lorry Controller Status