From 2d98f2a6dc2cec8b5661e36763d31d422d749e2c Mon Sep 17 00:00:00 2001 From: "gman@google.com" Date: Fri, 4 Sep 2009 22:08:46 +0000 Subject: Add check for offset + number_of_bytes overflow to UPDATE_TEXTURE2D and UPDATE_TEXTURE2D_RECT IMC messages. This was moved from issue 199008 beacuse codereview.chromium.org was giving bogus errors C:\src\o3d_outside_pc\o3d>gcl upload fix Upload server: codereview.chromium.org (change with -s/--server) Email [gman@google.com]: Password for gman@google.com: Saving authentication cookies to C:\Documents and Settings\gman\.codereview_upload_cookies Issue creation errors: {'user': ["You (Gman@google.com) don't own this issue (199008)"]} Review URL: http://codereview.chromium.org/192030 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@25524 0039d316-1c4b-4281-b951-d872f2087c98 --- o3d/core/cross/message_queue.cc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'o3d') diff --git a/o3d/core/cross/message_queue.cc b/o3d/core/cross/message_queue.cc index d8962b2..ae30a58 100644 --- a/o3d/core/cross/message_queue.cc +++ b/o3d/core/cross/message_queue.cc @@ -582,7 +582,8 @@ bool MessageQueue::ProcessMessageUpdateTexture2D( // Check that we will not be reading past the end of the allocated shared // memory. - if (message.offset + message.number_of_bytes > info->size) { + if (message.offset + message.number_of_bytes > info->size || + message.offset + message.number_of_bytes < message.offset) { O3D_ERROR(service_locator_) << "Offset + texture size exceeds allocated shared memory size (" << message.offset << " + " << message.number_of_bytes << " > " @@ -657,7 +658,8 @@ bool MessageQueue::ProcessMessageUpdateTexture2DRect( int32 number_of_bytes = (message.height - 1) * message.pitch + image::ComputePitch(texture_object->format(), message.width); - if (message.offset + number_of_bytes > info->size) { + if (message.offset + number_of_bytes > info->size || + message.offset + number_of_bytes < message.offset) { O3D_ERROR(service_locator_) << "Offset + size as computed by width, height and pitch" << " exceeds allocated shared memory size (" -- cgit v1.1