diff options
Diffstat (limited to 'chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc')
| -rw-r--r-- | chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc b/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc index 2df536f5bdb..e5e2838dcc6 100644 --- a/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc +++ b/chromium/gpu/command_buffer/service/dawn_service_memory_transfer_service.cc @@ -29,7 +29,8 @@ class ReadHandleImpl size_t offset, size_t size, void* serializePointer) override { - DCHECK_LE(size + offset, size_); + DCHECK_LE(offset, size_); + DCHECK_LE(size, size_ - offset); // Copy the data into the shared memory allocation. // In the case of buffer mapping, this is the mapped GPU memory which we // copy into client-visible shared memory. @@ -56,10 +57,16 @@ class WriteHandleImpl size_t size) override { // Nothing is serialized because we're using shared memory. DCHECK_EQ(deserialize_size, 0u); - DCHECK_LE(size + offset, size_); DCHECK(mTargetData); DCHECK(ptr_); + if (offset > mDataLength || size > mDataLength - offset) { + return false; + } + if (offset > size_ || size > size_ - offset) { + return false; + } + // Copy from shared memory into the target buffer. // mTargetData will always be the starting address // of the backing buffer after the dawn side change. |