osr: Fix potential shared memory OOB access

chromiumembedded · Jan 5, 2024 · 1f55d2e · 1f55d2e
1 parent 9dc7653
commit 1f55d2e
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 5 deletions.
diff --git a/libcef/browser/osr/host_display_client_osr.cc b/libcef/browser/osr/host_display_client_osr.cc
@@ -75,15 +75,24 @@ void CefLayeredWindowUpdaterOSR::OnAllocatedSharedMemory(
     base::UnsafeSharedMemoryRegion region) {
   // Make sure |pixel_size| is sane.
   size_t expected_bytes;
-  bool size_result = viz::ResourceSizes::MaybeSizeInBytes(
-      pixel_size, viz::SinglePlaneFormat::kRGBA_8888, &expected_bytes);
-  if (!size_result) {
+  if (!viz::ResourceSizes::MaybeSizeInBytes(
+          pixel_size, viz::SinglePlaneFormat::kRGBA_8888, &expected_bytes)) {
+    DLOG(ERROR) << "OnAllocatedSharedMemory with size that overflows";
+    return;
+  }
+
+  auto mapping = region.Map();
+  if (!mapping.IsValid()) {
+    DLOG(ERROR) << "Shared memory mapping failed.";
+    return;
+  }
+  if (mapping.size() < expected_bytes) {
+    DLOG(ERROR) << "Shared memory size was less than expected.";
     return;
   }
 
   pixel_size_ = pixel_size;
-  shared_memory_ = region.Map();
-  DCHECK(shared_memory_.IsValid());
+  shared_memory_ = std::move(mapping);
 }
 
 void CefLayeredWindowUpdaterOSR::Draw(const gfx::Rect& damage_rect,

diff --git a/libcef/browser/osr/video_consumer_osr.cc b/libcef/browser/osr/video_consumer_osr.cc
@@ -88,6 +88,11 @@ void CefVideoConsumerOSR::OnFrameCaptured(
         callbacks) {
   ScopedVideoFrameDone scoped_done(std::move(callbacks));
 
+  if (info->pixel_format != media::PIXEL_FORMAT_ARGB) {
+    DLOG(ERROR) << "Unsupported pixel format " << info->pixel_format;
+    return;
+  }
+
   CHECK(data->is_read_only_shmem_region());
   base::ReadOnlySharedMemoryRegion& shmem_region =
       data->get_read_only_shmem_region();