Verify texture target and size for content::GpuVideoDecodeAccelerator

When reading texture target info across untrusted IPC, the texture
target and textures sizes should be verified as appropriate.

BUG=chromium:167417
BUG=chromium-os:38376
TEST=local build, run on CrOS

Change-Id: Ibc9bf370eda73d699646268f2789bfdb6d71ca05


Review URL: https://chromiumcodereview.appspot.com/12520002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@186629 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 26 insertions, 5 deletions

diff --git a/content/common/gpu/media/android_video_decode_accelerator.cc b/content/common/gpu/media/android_video_decode_accelerator.cc
index 1f90308..2ddd7a3 100644
--- a/content/common/gpu/media/android_video_decode_accelerator.cc
+++ b/content/common/gpu/media/android_video_decode_accelerator.cc
@@ -346,6 +346,9 @@ void AndroidVideoDecodeAccelerator::AssignPictureBuffers(
   DCHECK(output_picture_buffers_.empty());
 
   for (size_t i = 0; i < buffers.size(); ++i) {
+    RETURN_ON_FAILURE(buffers[i].size() != size_,
+                      "Invalid picture buffer size was passed.",
+                      INVALID_ARGUMENT);
     output_picture_buffers_.insert(std::make_pair(buffers[i].id(), buffers[i]));
     free_picture_ids_.push(buffers[i].id());
   }
diff --git a/content/common/gpu/media/exynos_video_decode_accelerator.cc b/content/common/gpu/media/exynos_video_decode_accelerator.cc
index 10421f7..43089b9 100644
--- a/content/common/gpu/media/exynos_video_decode_accelerator.cc
+++ b/content/common/gpu/media/exynos_video_decode_accelerator.cc
@@ -427,11 +427,19 @@ void ExynosVideoDecodeAccelerator::AssignPictureBuffers(
   DCHECK(child_message_loop_proxy_->BelongsToCurrentThread());
 
   if (buffers.size() != gsc_output_buffer_map_.size()) {
-    DLOG(ERROR) << "AssignPictureBuffers(): invalid buffer_count";
+    DLOG(ERROR) << "AssignPictureBuffers(): invalid buffer count";
     NOTIFY_ERROR(INVALID_ARGUMENT);
     return;
   }
 
+  for (size_t i = 0; i < buffers.size(); ++i) {
+    if (buffers[i].size() != frame_buffer_size_) {
+      DLOG(ERROR) << "AssignPictureBuffers(): invalid buffer size";
+      NOTIFY_ERROR(INVALID_ARGUMENT);
+      return;
+    }
+  }
+
   if (!make_context_current_.Run()) {
     DLOG(ERROR) << "AssignPictureBuffers(): could not make context current";
     NOTIFY_ERROR(PLATFORM_FAILURE);
diff --git a/content/common/gpu/media/gpu_video_decode_accelerator.cc b/content/common/gpu/media/gpu_video_decode_accelerator.cc
index 910537f..7bdabbf 100644
--- a/content/common/gpu/media/gpu_video_decode_accelerator.cc
+++ b/content/common/gpu/media/gpu_video_decode_accelerator.cc
@@ -260,13 +260,23 @@ void GpuVideoDecodeAccelerator::OnAssignPictureBuffers(
       NotifyError(media::VideoDecodeAccelerator::INVALID_ARGUMENT);
       return;
     }
-    GLsizei width, height;
-    info->GetLevelSize(texture_target_, 0, &width, &height);
-    if (width != sizes[i].width() || height != sizes[i].height()) {
-      DLOG(FATAL) << "Size mismatch for texture id " << texture_ids[i];
+    if (info->target() != texture_target_) {
+      DLOG(FATAL) << "Texture target mismatch for texture id "
+                  << texture_ids[i];
       NotifyError(media::VideoDecodeAccelerator::INVALID_ARGUMENT);
       return;
     }
+    // GL_TEXTURE_EXTERNAL_OES textures have their dimensions defined by the
+    // underlying EGLImage.
+    if (texture_target_ != GL_TEXTURE_EXTERNAL_OES) {
+      GLsizei width = 0, height = 0;
+      info->GetLevelSize(texture_target_, 0, &width, &height);
+      if (width != sizes[i].width() || height != sizes[i].height()) {
+        DLOG(FATAL) << "Size mismatch for texture id " << texture_ids[i];
+        NotifyError(media::VideoDecodeAccelerator::INVALID_ARGUMENT);
+        return;
+      }
+    }
     if (!texture_manager->ClearRenderableLevels(command_decoder, info)) {
       DLOG(FATAL) << "Failed to Clear texture id " << texture_ids[i];
       NotifyError(media::VideoDecodeAccelerator::PLATFORM_FAILURE);