diff options
author | Andrew Osmond <aosmond@mozilla.com> | 2018-02-22 12:11:00 -0500 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-03-14 11:06:35 +0100 |
commit | c0ea2166b946daaad3b2b85b68c5570f9f7822d7 (patch) | |
tree | 24800a260ae6e9c539f2ce0b5c24d9ba4f117685 /gfx/layers/composite/TextureHost.cpp | |
parent | 686954ea845a7b05a8bdb8d2ed9a002a88e698e6 (diff) | |
download | UXP-c0ea2166b946daaad3b2b85b68c5570f9f7822d7.tar UXP-c0ea2166b946daaad3b2b85b68c5570f9f7822d7.tar.gz UXP-c0ea2166b946daaad3b2b85b68c5570f9f7822d7.tar.lz UXP-c0ea2166b946daaad3b2b85b68c5570f9f7822d7.tar.xz UXP-c0ea2166b946daaad3b2b85b68c5570f9f7822d7.zip |
Bug 1388020. r=nical, a=RyanVM
Diffstat (limited to 'gfx/layers/composite/TextureHost.cpp')
-rw-r--r-- | gfx/layers/composite/TextureHost.cpp | 62 |
1 files changed, 51 insertions, 11 deletions
diff --git a/gfx/layers/composite/TextureHost.cpp b/gfx/layers/composite/TextureHost.cpp index 8c5b8c7b7..e7d87e238 100644 --- a/gfx/layers/composite/TextureHost.cpp +++ b/gfx/layers/composite/TextureHost.cpp @@ -100,15 +100,9 @@ TextureHost::CreateIPDLActor(HostIPCAllocator* aAllocator, TextureFlags aFlags, uint64_t aSerial) { - if (aSharedData.type() == SurfaceDescriptor::TSurfaceDescriptorBuffer && - aSharedData.get_SurfaceDescriptorBuffer().data().type() == MemoryOrShmem::Tuintptr_t && - !aAllocator->IsSameProcess()) - { - NS_ERROR("A client process is trying to peek at our address space using a MemoryTexture!"); - return nullptr; - } TextureParent* actor = new TextureParent(aAllocator, aSerial); if (!actor->Init(aSharedData, aLayersBackend, aFlags)) { + actor->ActorDestroy(ipc::IProtocol::ActorDestroyReason::FailedConstructor); delete actor; return nullptr; } @@ -210,6 +204,11 @@ TextureHost::Create(const SurfaceDescriptor& aDesc, #ifdef MOZ_X11 case SurfaceDescriptor::TSurfaceDescriptorX11: { + if (!aDeallocator->IsSameProcess()) { + NS_ERROR("A client process is trying to peek at our address space using a X11Texture!"); + return nullptr; + } + const SurfaceDescriptorX11& desc = aDesc.get_SurfaceDescriptorX11(); return MakeAndAddRef<X11TextureHost>(aFlags, desc); } @@ -244,13 +243,49 @@ CreateBackendIndependentTextureHost(const SurfaceDescriptor& aDesc, const MemoryOrShmem& data = bufferDesc.data(); switch (data.type()) { case MemoryOrShmem::TShmem: { - result = new ShmemTextureHost(data.get_Shmem(), - bufferDesc.desc(), - aDeallocator, - aFlags); + const ipc::Shmem& shmem = data.get_Shmem(); + const BufferDescriptor& desc = bufferDesc.desc(); + if (!shmem.IsReadable()) { + // We failed to map the shmem so we can't verify its size. This + // should not be a fatal error, so just create the texture with + // nothing backing it. + result = new ShmemTextureHost(shmem, desc, aDeallocator, aFlags); + break; + } + + size_t bufSize = shmem.Size<char>(); + size_t reqSize = SIZE_MAX; + switch (desc.type()) { + case BufferDescriptor::TYCbCrDescriptor: { + const YCbCrDescriptor& ycbcr = desc.get_YCbCrDescriptor(); + reqSize = + ImageDataSerializer::ComputeYCbCrBufferSize(ycbcr.ySize(), ycbcr.cbCrSize()); + break; + } + case BufferDescriptor::TRGBDescriptor: { + const RGBDescriptor& rgb = desc.get_RGBDescriptor(); + reqSize = ImageDataSerializer::ComputeRGBBufferSize(rgb.size(), rgb.format()); + break; + } + default: + gfxCriticalError() << "Bad buffer host descriptor " << (int)desc.type(); + MOZ_CRASH("GFX: Bad descriptor"); + } + + if (bufSize < reqSize) { + NS_ERROR("A client process gave a shmem too small to fit for its descriptor!"); + return nullptr; + } + + result = new ShmemTextureHost(shmem, desc, aDeallocator, aFlags); break; } case MemoryOrShmem::Tuintptr_t: { + if (!aDeallocator->IsSameProcess()) { + NS_ERROR("A client process is trying to peek at our address space using a MemoryTexture!"); + return nullptr; + } + result = new MemoryTextureHost(reinterpret_cast<uint8_t*>(data.get_uintptr_t()), bufferDesc.desc(), aFlags); @@ -268,6 +303,11 @@ CreateBackendIndependentTextureHost(const SurfaceDescriptor& aDesc, } #ifdef XP_WIN case SurfaceDescriptor::TSurfaceDescriptorDIB: { + if (!aDeallocator->IsSameProcess()) { + NS_ERROR("A client process is trying to peek at our address space using a DIBTexture!"); + return nullptr; + } + result = new DIBTextureHost(aFlags, aDesc); break; } |