Have CommandBuffer::CreateTransferBuffer take a uint32_t instead of size_t
Because client and service may be of different bitness, offsets in command
buffers have to fit in a uint32_t, effectively limiting transfer buffers to 4GB.
Make this clear in CommandBuffer::CreateTransferBuffer by taking a uin32_t
instead of a size_t (fixing callers as appropriate), avoiding potential security
issues with silent clamping.
Bug: 905509
Change-Id: I8392f2e73e95bf65e08fa9896e2acc53afa0d268
Reviewed-on: https://chromium-review.googlesource.com/c/1396132
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Commit-Queue: Antoine Labour <piman@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#620132}
Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src
Cr-Mirrored-Commit: 5cb6cecb3b5a26a6392be6c7a246d6dbdcef3d08
diff --git a/proxy/ppapi_command_buffer_proxy.cc b/proxy/ppapi_command_buffer_proxy.cc
index 8544052..e6160b6 100644
--- a/proxy/ppapi_command_buffer_proxy.cc
+++ b/proxy/ppapi_command_buffer_proxy.cc
@@ -117,7 +117,7 @@
}
scoped_refptr<gpu::Buffer> PpapiCommandBufferProxy::CreateTransferBuffer(
- size_t size,
+ uint32_t size,
int32_t* id) {
*id = -1;
@@ -129,8 +129,7 @@
ppapi::proxy::SerializedHandle handle(
ppapi::proxy::SerializedHandle::SHARED_MEMORY_REGION);
if (!Send(new PpapiHostMsg_PPBGraphics3D_CreateTransferBuffer(
- ppapi::API_ID_PPB_GRAPHICS_3D, resource_,
- base::checked_cast<uint32_t>(size), id, &handle))) {
+ ppapi::API_ID_PPB_GRAPHICS_3D, resource_, size, id, &handle))) {
if (last_state_.error == gpu::error::kNoError)
last_state_.error = gpu::error::kLostContext;
return NULL;
diff --git a/proxy/ppapi_command_buffer_proxy.h b/proxy/ppapi_command_buffer_proxy.h
index 44db7ca..4dd7c31 100644
--- a/proxy/ppapi_command_buffer_proxy.h
+++ b/proxy/ppapi_command_buffer_proxy.h
@@ -50,7 +50,7 @@
int32_t start,
int32_t end) override;
void SetGetBuffer(int32_t transfer_buffer_id) override;
- scoped_refptr<gpu::Buffer> CreateTransferBuffer(size_t size,
+ scoped_refptr<gpu::Buffer> CreateTransferBuffer(uint32_t size,
int32_t* id) override;
void DestroyTransferBuffer(int32_t id) override;