From e1d0aa9f929659941e15c3d21e4a63199b70493f Mon Sep 17 00:00:00 2001
From: Shrek Shao <shrekshao@google.com>
Date: Fri, 8 Jul 2022 14:42:24 +0000
Subject: [PATCH] Inline memory transfer service offset bound update

Offset > 0 is already implicitly included in this if statement
(when `offset == 0` then `size > mDataLength` could safely assert it's invalid).
So we could remove it and use `offset > mDataLength` instead of `>=`.

Bug: chromium:1340654
Change-Id: Ieafe1ea6bef5aae29bc6ef2bd9702d6f7a92d8b5
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/95820
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Reviewed-by: Loko Kung <lokokung@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Shrek Shao <shrekshao@google.com>
---
 src/dawn/wire/server/ServerInlineMemoryTransferService.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/dawn/wire/server/ServerInlineMemoryTransferService.cpp b/src/dawn/wire/server/ServerInlineMemoryTransferService.cpp
index 6f5884a798..84ecb7b182 100644
--- a/src/dawn/wire/server/ServerInlineMemoryTransferService.cpp
+++ b/src/dawn/wire/server/ServerInlineMemoryTransferService.cpp
@@ -55,7 +55,7 @@ class InlineMemoryTransferService : public MemoryTransferService {
                 deserializePointer == nullptr) {
                 return false;
             }
-            if ((offset >= mDataLength && offset > 0) || size > mDataLength - offset) {
+            if (offset > mDataLength || size > mDataLength - offset) {
                 return false;
             }
             memcpy(static_cast<uint8_t*>(mTargetData) + offset, deserializePointer, size);