Fixed integer overflow.

TEST=regression tests BUG=35931 Review URL: http://codereview.chromium.org/628004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39503 0039d316-1c4b-4281-b951-d872f2087c98
author: apatrick@chromium.org <apatrick@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-02-19 22:54:35 +0000
committer: apatrick@chromium.org <apatrick@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-02-19 22:54:35 +0000
commit: ecd28bb347c838c93edabc2c0f32929443bac602 (patch)
tree: faaab6549d74089fd69146368112c4b816ac2205 /gpu
parent: 1d80a8545a57db436476d45b77e549ab5b06b043 (diff)
download: chromium_src-ecd28bb347c838c93edabc2c0f32929443bac602.zip
chromium_src-ecd28bb347c838c93edabc2c0f32929443bac602.tar.gz
chromium_src-ecd28bb347c838c93edabc2c0f32929443bac602.tar.bz2
3 files changed, 16 insertions, 0 deletions
diff --git a/gpu/command_buffer/common/command_buffer.h b/gpu/command_buffer/common/command_buffer.h
index 11ba280..b14c35a5 100644
--- a/gpu/command_buffer/common/command_buffer.h
+++ b/gpu/command_buffer/common/command_buffer.h
@@ -14,6 +14,10 @@ namespace gpu {
 // Common interface for CommandBuffer implementations.
 class CommandBuffer {
  public:
+  enum {
+    kMaxCommandBufferSize = 4 * 1024 * 1024
+  };
+
   struct State {
     State()
         : size(0),
diff --git a/gpu/command_buffer/service/command_buffer_service.cc b/gpu/command_buffer/service/command_buffer_service.cc
index aacfd3e..90503ed 100644
--- a/gpu/command_buffer/service/command_buffer_service.cc
+++ b/gpu/command_buffer/service/command_buffer_service.cc
@@ -31,6 +31,9 @@ bool CommandBufferService::Initialize(int32 size) {
   if (ring_buffer_.get())
     return false;
 
+  if (size == 0 || size > kMaxCommandBufferSize)
+    return false;
+
   size_ = size;
 
   ring_buffer_.reset(new SharedMemory);
diff --git a/gpu/command_buffer/service/command_buffer_service_unittest.cc b/gpu/command_buffer/service/command_buffer_service_unittest.cc
index b695e2e..7a116c0 100644
--- a/gpu/command_buffer/service/command_buffer_service_unittest.cc
+++ b/gpu/command_buffer/service/command_buffer_service_unittest.cc
@@ -67,6 +67,15 @@ TEST_F(CommandBufferServiceTest, InitializationSizeIsInEntriesNotBytes) {
             command_buffer_->GetRingBuffer().size);
 }
 
+TEST_F(CommandBufferServiceTest, InitializationFailsIfSizeIsZero) {
+  EXPECT_FALSE(command_buffer_->Initialize(0));
+}
+
+TEST_F(CommandBufferServiceTest, InitializationFailsIfSizeOutOfRange) {
+  EXPECT_FALSE(command_buffer_->Initialize(
+      CommandBuffer::kMaxCommandBufferSize + 1));
+}
+
 TEST_F(CommandBufferServiceTest, InitializeFailsSecondTime) {
   EXPECT_TRUE(command_buffer_->Initialize(1024));
   EXPECT_FALSE(command_buffer_->Initialize(1024));
author	apatrick@chromium.org <apatrick@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-02-19 22:54:35 +0000
committer	apatrick@chromium.org <apatrick@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-02-19 22:54:35 +0000
commit	ecd28bb347c838c93edabc2c0f32929443bac602 (patch)
tree	faaab6549d74089fd69146368112c4b816ac2205 /gpu
parent	1d80a8545a57db436476d45b77e549ab5b06b043 (diff)
download	chromium_src-ecd28bb347c838c93edabc2c0f32929443bac602.zip chromium_src-ecd28bb347c838c93edabc2c0f32929443bac602.tar.gz chromium_src-ecd28bb347c838c93edabc2c0f32929443bac602.tar.bz2