diff options
| author | gman@google.com <gman@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-09-04 22:08:46 +0000 |
|---|---|---|
| committer | gman@google.com <gman@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-09-04 22:08:46 +0000 |
| commit | 2d98f2a6dc2cec8b5661e36763d31d422d749e2c (patch) | |
| tree | d73e8dee8d106a53bcfa34b0476d08740ac04624 | |
| parent | c54a6ad63d5636174ed6f50637b81602cbf92f10 (diff) | |
| download | chromium_src-2d98f2a6dc2cec8b5661e36763d31d422d749e2c.zip chromium_src-2d98f2a6dc2cec8b5661e36763d31d422d749e2c.tar.gz chromium_src-2d98f2a6dc2cec8b5661e36763d31d422d749e2c.tar.bz2 | |
Add check for offset + number_of_bytes overflow
to UPDATE_TEXTURE2D and UPDATE_TEXTURE2D_RECT IMC
messages.
This was moved from issue 199008 beacuse
codereview.chromium.org was giving bogus errors
C:\src\o3d_outside_pc\o3d>gcl upload fix
Upload server: codereview.chromium.org (change with -s/--server)
Email [gman@google.com]:
Password for gman@google.com:
Saving authentication cookies to C:\Documents and Settings\gman\.codereview_upload_cookies
Issue creation errors: {'user': ["You (Gman@google.com) don't own this issue (199008)"]}
Review URL: http://codereview.chromium.org/192030
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@25524 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | o3d/core/cross/message_queue.cc | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/o3d/core/cross/message_queue.cc b/o3d/core/cross/message_queue.cc index d8962b2..ae30a58 100644 --- a/o3d/core/cross/message_queue.cc +++ b/o3d/core/cross/message_queue.cc @@ -582,7 +582,8 @@ bool MessageQueue::ProcessMessageUpdateTexture2D( // Check that we will not be reading past the end of the allocated shared // memory. - if (message.offset + message.number_of_bytes > info->size) { + if (message.offset + message.number_of_bytes > info->size || + message.offset + message.number_of_bytes < message.offset) { O3D_ERROR(service_locator_) << "Offset + texture size exceeds allocated shared memory size (" << message.offset << " + " << message.number_of_bytes << " > " @@ -657,7 +658,8 @@ bool MessageQueue::ProcessMessageUpdateTexture2DRect( int32 number_of_bytes = (message.height - 1) * message.pitch + image::ComputePitch(texture_object->format(), message.width); - if (message.offset + number_of_bytes > info->size) { + if (message.offset + number_of_bytes > info->size || + message.offset + number_of_bytes < message.offset) { O3D_ERROR(service_locator_) << "Offset + size as computed by width, height and pitch" << " exceeds allocated shared memory size (" |