From f3666c45f3362c7faf7cbdd9328ac76d21327a2a Mon Sep 17 00:00:00 2001
From: Brendon Tiszka <tiszka@chromium.org>
Date: Tue, 18 Oct 2022 15:15:02 +0000
Subject: [PATCH] Add assertions to ServerInlineMemoryTransferService to catch
 corrupted states while fuzzing with DawnWireServerFuzzer and tests.

Bug: chromium:1340654,chromium:1374495
Change-Id: Icfb008a1cd6dbd8af32f3aedc90ef29e29a0465b
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/106041
Commit-Queue: Brendon Tiszka <tiszka@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Reviewed-by: Austin Eng <enga@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
---
 src/dawn/wire/server/ServerInlineMemoryTransferService.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/dawn/wire/server/ServerInlineMemoryTransferService.cpp b/src/dawn/wire/server/ServerInlineMemoryTransferService.cpp
index 84ecb7b182..c5f84d4cef 100644
--- a/src/dawn/wire/server/ServerInlineMemoryTransferService.cpp
+++ b/src/dawn/wire/server/ServerInlineMemoryTransferService.cpp
@@ -51,6 +51,8 @@ class InlineMemoryTransferService : public MemoryTransferService {
                                    size_t deserializeSize,
                                    size_t offset,
                                    size_t size) override {
+            ASSERT(offset <= mDataLength);
+            ASSERT(size <= mDataLength - offset);
             if (deserializeSize != size || mTargetData == nullptr ||
                 deserializePointer == nullptr) {
                 return false;