-
Notifications
You must be signed in to change notification settings - Fork 15k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: cherry-pick 7e42e0a7c6 and b1b3ccbd57 from chromium.
- Loading branch information
Showing
18 changed files
with
203 additions
and
90 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
33 changes: 33 additions & 0 deletions
33
patches/chromium/disallow_creation_of_canvasresourceproviders_for_zero_sized_images.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Robert Phillips <robertphillips@google.com> | ||
Date: Wed, 16 Sep 2020 18:42:32 +0000 | ||
Subject: Disallow creation of CanvasResourceProviders for zero sized images | ||
|
||
(cherry picked from commit ff3c6ce9ca777c4ab1031b8cfa98e7dfdaea88a1) | ||
|
||
Bug: 1126424 | ||
Change-Id: I17ddbdce78d89a997a73c37f18cd945b83936f7f | ||
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2405644 | ||
Reviewed-by: Fernando Serboncini <fserb@chromium.org> | ||
Commit-Queue: Robert Phillips <robertphillips@google.com> | ||
Cr-Original-Commit-Position: refs/heads/master@{#806708} | ||
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2414669 | ||
Reviewed-by: Robert Phillips <robertphillips@google.com> | ||
Reviewed-by: Aaron Krajeski <aaronhk@chromium.org> | ||
Cr-Commit-Position: refs/branch-heads/4240@{#783} | ||
Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218} | ||
|
||
diff --git a/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc b/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc | ||
index 4635d4a38836150f3abafedeffaf31a20d6e77cf..d13a4e208d19ed55a449641b4648e20303e33aa8 100644 | ||
--- a/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc | ||
+++ b/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc | ||
@@ -804,6 +804,9 @@ CanvasResourceProvider::CreateSharedImageProvider( | ||
if (!context_provider_wrapper) | ||
return nullptr; | ||
|
||
+ if (size.Width() <= 0 || size.Height() <= 0) | ||
+ return nullptr; | ||
+ | ||
const auto& capabilities = | ||
context_provider_wrapper->ContextProvider()->GetCapabilities(); | ||
bool use_webgpu = |
78 changes: 78 additions & 0 deletions
78
patches/chromium/don_t_create_providers_if_context_is_lost.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Aaron Krajeski <aaronhk@chromium.org> | ||
Date: Tue, 22 Sep 2020 14:53:17 +0000 | ||
Subject: Don't create providers if context is lost | ||
|
||
CanvasResourceProvider::CreateSharedImageProvider receives a weak pointer | ||
to the ContextProviderWrapper and returns nullptr if it does not exist. | ||
|
||
Unfortunately SharedGpuContext::IsGpuCompositingEnabled can re-create | ||
the ContextProviderWrapper after this check happens, leading to potential | ||
use-after-frees. | ||
|
||
To me it simply makes the most sense to not create a CRP if context is | ||
lost, as the created provider would be invalid and nullptr would get | ||
returned anyway. | ||
|
||
Bug: 1126424 | ||
Change-Id: Ic92709d7a38d94e5e7529efac3a09405d64eaa34 | ||
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2417097 | ||
Reviewed-by: Juanmi Huertas <juanmihd@chromium.org> | ||
Reviewed-by: Fernando Serboncini <fserb@chromium.org> | ||
Commit-Queue: Aaron Krajeski <aaronhk@chromium.org> | ||
Cr-Commit-Position: refs/heads/master@{#809327} | ||
|
||
diff --git a/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc b/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc | ||
index d13a4e208d19ed55a449641b4648e20303e33aa8..8fb14df8be73ef83fe0e67946b684d2faa825f38 100644 | ||
--- a/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc | ||
+++ b/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc | ||
@@ -801,10 +801,16 @@ CanvasResourceProvider::CreateSharedImageProvider( | ||
bool is_origin_top_left, | ||
RasterMode raster_mode, | ||
uint32_t shared_image_usage_flags) { | ||
- if (!context_provider_wrapper) | ||
- return nullptr; | ||
- | ||
- if (size.Width() <= 0 || size.Height() <= 0) | ||
+ // IsGpuCompositingEnabled can re-create the context if it has been lost, do | ||
+ // this up front so that we can fail early and not expose ourselves to | ||
+ // use after free bugs (crbug.com/1126424) | ||
+ const bool is_gpu_compositing_enabled = | ||
+ SharedGpuContext::IsGpuCompositingEnabled(); | ||
+ | ||
+ // If the context is lost we don't want to re-create it here, the resulting | ||
+ // resource provider would be invalid anyway | ||
+ if (!context_provider_wrapper || | ||
+ context_provider_wrapper->ContextProvider()->IsContextLost()) | ||
return nullptr; | ||
|
||
const auto& capabilities = | ||
@@ -820,7 +826,7 @@ CanvasResourceProvider::CreateSharedImageProvider( | ||
} | ||
|
||
const bool is_gpu_memory_buffer_image_allowed = | ||
- SharedGpuContext::IsGpuCompositingEnabled() && | ||
+ is_gpu_compositing_enabled && | ||
IsGMBAllowed(size, color_params, capabilities) && | ||
Platform::Current()->GetGpuMemoryBufferManager(); | ||
|
||
@@ -853,6 +859,9 @@ CanvasResourceProvider::CreatePassThroughProvider( | ||
const CanvasColorParams& color_params, | ||
bool is_origin_top_left, | ||
base::WeakPtr<CanvasResourceDispatcher> resource_dispatcher) { | ||
+ // SharedGpuContext::IsGpuCompositingEnabled can potentially replace the | ||
+ // context_provider_wrapper, so it's important to call that first as it can | ||
+ // invalidate the weak pointer. | ||
if (!SharedGpuContext::IsGpuCompositingEnabled() || !context_provider_wrapper) | ||
return nullptr; | ||
|
||
@@ -886,6 +895,9 @@ CanvasResourceProvider::CreateSwapChainProvider( | ||
const CanvasColorParams& color_params, | ||
bool is_origin_top_left, | ||
base::WeakPtr<CanvasResourceDispatcher> resource_dispatcher) { | ||
+ // SharedGpuContext::IsGpuCompositingEnabled can potentially replace the | ||
+ // context_provider_wrapper, so it's important to call that first as it can | ||
+ // invalidate the weak pointer. | ||
DCHECK(is_origin_top_left); | ||
if (!SharedGpuContext::IsGpuCompositingEnabled() || !context_provider_wrapper) | ||
return nullptr; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.