commit 943f1a0b85b303601cbd3b07bc80612e82b57ddc
author Antoine Labour <piman@chromium.org> Sat Jan 05 00:47:25 2019
committer Commit Bot <commit-bot@chromium.org> Sat Jan 05 00:47:25 2019
tree 61f0083394e05f51711efe266d4b7ebfe519be2c
parent e7a3bfb8e55795633d6d01228af1aa0b5a857b1c

Have CommandBuffer::CreateTransferBuffer take a uint32_t instead of size_t

Because client and service may be of different bitness, offsets in command
buffers have to fit in a uint32_t, effectively limiting transfer buffers to 4GB.
Make this clear in CommandBuffer::CreateTransferBuffer by taking a uin32_t
instead of a size_t (fixing callers as appropriate), avoiding potential security
issues with silent clamping.

Bug: 905509
Change-Id: I8392f2e73e95bf65e08fa9896e2acc53afa0d268
Reviewed-on: https://chromium-review.googlesource.com/c/1396132
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Commit-Queue: Antoine Labour <piman@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#620132}
Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src
Cr-Mirrored-Commit: 5cb6cecb3b5a26a6392be6c7a246d6dbdcef3d08

proxy/ppapi_command_buffer_proxy.cc

diff --git a/proxy/ppapi_command_buffer_proxy.cc b/proxy/ppapi_command_buffer_proxy.cc
index 8544052..e6160b6 100644
--- a/proxy/ppapi_command_buffer_proxy.cc
+++ b/proxy/ppapi_command_buffer_proxy.cc
@@ -117,7 +117,7 @@
 }
 
 scoped_refptr<gpu::Buffer> PpapiCommandBufferProxy::CreateTransferBuffer(
-    size_t size,
+    uint32_t size,
     int32_t* id) {
   *id = -1;
 
@@ -129,8 +129,7 @@
   ppapi::proxy::SerializedHandle handle(
       ppapi::proxy::SerializedHandle::SHARED_MEMORY_REGION);
   if (!Send(new PpapiHostMsg_PPBGraphics3D_CreateTransferBuffer(
-          ppapi::API_ID_PPB_GRAPHICS_3D, resource_,
-          base::checked_cast<uint32_t>(size), id, &handle))) {
+          ppapi::API_ID_PPB_GRAPHICS_3D, resource_, size, id, &handle))) {
     if (last_state_.error == gpu::error::kNoError)
       last_state_.error = gpu::error::kLostContext;
     return NULL;

proxy/ppapi_command_buffer_proxy.h

diff --git a/proxy/ppapi_command_buffer_proxy.h b/proxy/ppapi_command_buffer_proxy.h
index 44db7ca..4dd7c31 100644
--- a/proxy/ppapi_command_buffer_proxy.h
+++ b/proxy/ppapi_command_buffer_proxy.h
@@ -50,7 +50,7 @@
                                 int32_t start,
                                 int32_t end) override;
   void SetGetBuffer(int32_t transfer_buffer_id) override;
-  scoped_refptr<gpu::Buffer> CreateTransferBuffer(size_t size,
+  scoped_refptr<gpu::Buffer> CreateTransferBuffer(uint32_t size,
                                                   int32_t* id) override;
   void DestroyTransferBuffer(int32_t id) override;