diff options
| author | gman@chromium.org <gman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-05 00:33:18 +0000 |
|---|---|---|
| committer | gman@chromium.org <gman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-05 00:33:18 +0000 |
| commit | a76b005bf78e63263abacfed35ad3e9ab3aef26a (patch) | |
| tree | 25fe4a79a6ce254d1a331d0c533ddc79a0553d3f /gpu/command_buffer/client/gles2_implementation.cc | |
| parent | 0bc2448f867ad96f0cffe102cc4fc13aede5c891 (diff) | |
| download | chromium_src-a76b005bf78e63263abacfed35ad3e9ab3aef26a.zip chromium_src-a76b005bf78e63263abacfed35ad3e9ab3aef26a.tar.gz chromium_src-a76b005bf78e63263abacfed35ad3e9ab3aef26a.tar.bz2 | |
Added SafeMultiply and SafeAdd to check for overflows
in math calculations related to memory access.
Refactored code to use them where appropriate.
One issue that has come up is we need to make sure that
no GLES2 client call can crash the GPU process. In other
words, the GLES2Implementation must never generate a
command the service side will see as malicious.
For example: glTexImage2d(..width = 0x7fffffff, height = 0x7fffffff)
should return an gl error rather than pass it through to the
service side which will currently return a parse error and stop
the GPU process.
It does make me wonder if the service side should return GL errors
for more things rather than parse errors.
TEST=none
BUG=35942,35943,35941,35938
Review URL: http://codereview.chromium.org/669011
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40696 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'gpu/command_buffer/client/gles2_implementation.cc')
| -rw-r--r-- | gpu/command_buffer/client/gles2_implementation.cc | 59 |
1 files changed, 47 insertions, 12 deletions
diff --git a/gpu/command_buffer/client/gles2_implementation.cc b/gpu/command_buffer/client/gles2_implementation.cc index 0dacb54..8e212d6 100644 --- a/gpu/command_buffer/client/gles2_implementation.cc +++ b/gpu/command_buffer/client/gles2_implementation.cc @@ -362,6 +362,12 @@ void GLES2Implementation::TexImage2D( SetGLError(GL_INVALID_VALUE); return; } + uint32 size; + if (!GLES2Util::ComputeImageDataSize( + width, height, format, type, unpack_alignment_, &size)) { + SetGLError(GL_INVALID_VALUE); + return; + } helper_->TexImage2D( target, level, internalformat, width, height, border, format, type, 0, 0); if (pixels) { @@ -378,10 +384,23 @@ void GLES2Implementation::TexSubImage2D( } const int8* source = static_cast<const int8*>(pixels); GLsizeiptr max_size = transfer_buffer_.GetLargestFreeOrPendingSize(); - GLsizeiptr unpadded_row_size = GLES2Util::ComputeImageDataSize( - width, 1, format, type, unpack_alignment_); - GLsizeiptr padded_row_size = GLES2Util::ComputeImageDataSize( - width, 2, format, type, unpack_alignment_) - unpadded_row_size; + uint32 temp_size; + if (!GLES2Util::ComputeImageDataSize( + width, 1, format, type, unpack_alignment_, &temp_size)) { + SetGLError(GL_INVALID_VALUE); + return; + } + GLsizeiptr unpadded_row_size = temp_size; + if (!GLES2Util::ComputeImageDataSize( + width, 2, format, type, unpack_alignment_, &temp_size)) { + SetGLError(GL_INVALID_VALUE); + return; + } + GLsizeiptr padded_row_size = temp_size - unpadded_row_size; + if (padded_row_size < 0 || unpadded_row_size < 0) { + SetGLError(GL_INVALID_VALUE); + return; + } if (padded_row_size <= max_size) { // Transfer by rows. @@ -401,8 +420,10 @@ void GLES2Implementation::TexSubImage2D( } } else { // Transfer by sub rows. Beacuse GL has no maximum texture dimensions. - GLsizeiptr element_size = GLES2Util::ComputeImageDataSize( - 1, 1, format, type, unpack_alignment_); + uint32 temp; + GLES2Util::ComputeImageDataSize( + 1, 1, format, type, unpack_alignment_, &temp); + GLsizeiptr element_size = temp; max_size -= max_size % element_size; GLint max_sub_row_pixels = max_size / element_size; for (; height; --height) { @@ -606,10 +627,23 @@ void GLES2Implementation::ReadPixels( Result* result = static_cast<Result*>(result_buffer_); int8* dest = reinterpret_cast<int8*>(pixels); GLsizeiptr max_size = transfer_buffer_.GetLargestFreeOrPendingSize(); - GLsizeiptr unpadded_row_size = GLES2Util::ComputeImageDataSize( - width, 1, format, type, pack_alignment_); - GLsizeiptr padded_row_size = GLES2Util::ComputeImageDataSize( - width, 2, format, type, pack_alignment_) - unpadded_row_size; + uint32 temp_size; + if (!GLES2Util::ComputeImageDataSize( + width, 1, format, type, pack_alignment_, &temp_size)) { + SetGLError(GL_INVALID_VALUE); + return; + } + GLsizeiptr unpadded_row_size = temp_size; + if (!GLES2Util::ComputeImageDataSize( + width, 2, format, type, pack_alignment_, &temp_size)) { + SetGLError(GL_INVALID_VALUE); + return; + } + GLsizeiptr padded_row_size = temp_size - unpadded_row_size; + if (padded_row_size < 0 || unpadded_row_size < 0) { + SetGLError(GL_INVALID_VALUE); + return; + } if (padded_row_size <= max_size) { // Transfer by rows. GLint max_rows = max_size / padded_row_size; @@ -635,8 +669,9 @@ void GLES2Implementation::ReadPixels( } } else { // Transfer by sub rows. Beacuse GL has no maximum texture dimensions. - GLsizeiptr element_size = GLES2Util::ComputeImageDataSize( - 1, 1, format, type, pack_alignment_); + GLES2Util::ComputeImageDataSize( + 1, 1, format, type, pack_alignment_, &temp_size); + GLsizeiptr element_size = temp_size; max_size -= max_size % element_size; GLint max_sub_row_pixels = max_size / element_size; for (; height; --height) { |