From cac96415aae02c933bc8e182d8f2a2743eeeca1e Mon Sep 17 00:00:00 2001 From: Zhaoming Jiang Date: Mon, 22 Nov 2021 09:57:52 +0000 Subject: [PATCH] Add size parameter check in buffer mapAsync in wire server This patch add the size parameter check in buffer mapAsync in dawn wire server to make sure that it is not WGPU_WHOLE_MAP_SIZE. Together with validation in mapAsync in dawn native, we can ensure that the size parameter deserialized in wire server is a valid actual size. When using default size with dawn wire, the actual size is computed by wire client, and WGPU_WHOLE_MAP_SIZE shall never be passed to server. Bug: chromium:1270819 Change-Id: Ic0fe52efed15860bcc519a3881f0f649f7455435 Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/70260 Reviewed-by: Corentin Wallez Reviewed-by: Austin Eng Commit-Queue: Zhaoming Jiang --- src/dawn_wire/server/ServerBuffer.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/dawn_wire/server/ServerBuffer.cpp b/src/dawn_wire/server/ServerBuffer.cpp index 7005f38987..05be903a5c 100644 --- a/src/dawn_wire/server/ServerBuffer.cpp +++ b/src/dawn_wire/server/ServerBuffer.cpp @@ -74,8 +74,12 @@ namespace dawn_wire { namespace server { userdata->requestSerial = requestSerial; userdata->mode = mode; - if (offset64 > std::numeric_limits::max() || - size64 > std::numeric_limits::max()) { + // Make sure that the deserialized offset and size are no larger than + // std::numeric_limits::max() so that they are CPU-addressable, and size is not + // WGPU_WHOLE_MAP_SIZE, which is by definition std::numeric_limits::max(). Since + // client does the default size computation, we should always have a valid actual size here + // in server. All other invalid actual size can be caught by dawn native side validation. + if (offset64 > std::numeric_limits::max() || size64 >= WGPU_WHOLE_MAP_SIZE) { OnBufferMapAsyncCallback(WGPUBufferMapAsyncStatus_Error, userdata.get()); return true; }