Bug 1011327 - Add checks around SharedBufferManagerParent

gfx/layers/ipc/SharedBufferManagerChild.cpp

@@ -267,8 +267,9 @@ SharedBufferManagerChild::AllocGrallocBufferNow(const IntSize& aSize,
 #ifdef MOZ_HAVE_SURFACEDESCRIPTORGRALLOC
   mozilla::layers::MaybeMagicGrallocBufferHandle handle;
   SendAllocateGrallocBuffer(aSize, aFormat, aUsage, &handle);
-  if (handle.type() != mozilla::layers::MaybeMagicGrallocBufferHandle::TMagicGrallocBufferHandle)
+  if (handle.type() != mozilla::layers::MaybeMagicGrallocBufferHandle::TMagicGrallocBufferHandle) {
     return false;
+  }
   *aHandle = handle.get_MagicGrallocBufferHandle().mRef;
 
   {
@@ -285,6 +286,13 @@ SharedBufferManagerChild::AllocGrallocBufferNow(const IntSize& aSize,
 void
 SharedBufferManagerChild::DeallocGrallocBuffer(const mozilla::layers::MaybeMagicGrallocBufferHandle& aBuffer)
 {
+#ifdef MOZ_HAVE_SURFACEDESCRIPTORGRALLOC
+  NS_ASSERTION(aBuffer.type() != mozilla::layers::MaybeMagicGrallocBufferHandle::TMagicGrallocBufferHandle, "We shouldn't trying to do IPC with real buffer");
+  if (aBuffer.type() != mozilla::layers::MaybeMagicGrallocBufferHandle::TGrallocBufferRef) {
+    return;
+  }
+#endif
+
   if (InSharedBufferManagerChildThread()) {
     return SharedBufferManagerChild::DeallocGrallocBufferNow(aBuffer);
   }

gfx/layers/ipc/SharedBufferManagerParent.cpp

@@ -22,8 +22,7 @@
 
 using namespace mozilla::ipc;
 #ifdef MOZ_WIDGET_GONK
-using android::sp;
-using android::GraphicBuffer;
+using namespace android;
 #endif
 using std::map;
 
@@ -147,7 +146,28 @@ PSharedBufferManagerParent* SharedBufferManagerParent::Create(Transport* aTransp
 bool SharedBufferManagerParent::RecvAllocateGrallocBuffer(const IntSize& aSize, const uint32_t& aFormat, const uint32_t& aUsage, mozilla::layers::MaybeMagicGrallocBufferHandle* aHandle)
 {
 #ifdef MOZ_HAVE_SURFACEDESCRIPTORGRALLOC
+
+  *aHandle = null_t();
+
+  if (aFormat == 0 || aUsage == 0) {
+    printf_stderr("SharedBufferManagerParent::RecvAllocateGrallocBuffer -- format and usage must be non-zero");
+    return true;
+  }
+
+  // If the requested size is too big (i.e. exceeds the commonly used max GL texture size)
+  // then we risk OOMing the parent process. It's better to just deny the allocation and
+  // kill the child process, which is what the following code does.
+  // TODO: actually use GL_MAX_TEXTURE_SIZE instead of hardcoding 4096
+  if (aSize.width > 4096 || aSize.height > 4096) {
+    printf_stderr("SharedBufferManagerParent::RecvAllocateGrallocBuffer -- requested gralloc buffer is too big.");
+    return false;
+  }
+
   sp<GraphicBuffer> outgoingBuffer = new GraphicBuffer(aSize.width, aSize.height, aFormat, aUsage);
+  if (!outgoingBuffer.get() || outgoingBuffer->initCheck() != NO_ERROR) {
+    printf_stderr("SharedBufferManagerParent::RecvAllocateGrallocBuffer -- gralloc buffer allocation failed");
+    return true;
+  }
 
   GrallocBufferRef ref;
   ref.mOwner = mOwner;
@@ -175,10 +195,16 @@ bool SharedBufferManagerParent::RecvDropGrallocBuffer(const mozilla::layers::May
   NS_ASSERTION(handle.type() == MaybeMagicGrallocBufferHandle::TGrallocBufferRef, "We shouldn't interact with the real buffer!");
   int bufferKey = handle.get_GrallocBufferRef().mKey;
   sp<GraphicBuffer> buf = GetGraphicBuffer(bufferKey);
+  MOZ_ASSERT(buf.get());
   MutexAutoLock lock(mBuffersMutex);
   NS_ASSERTION(mBuffers.count(bufferKey) == 1, "How can you drop others buffer");
   mBuffers.erase(bufferKey);
 
+  if(!buf.get()) {
+    printf_stderr("SharedBufferManagerParent::RecvDropGrallocBuffer -- invalid buffer key.");
+    return true;
+  }
+
   int bpp = 0;
   bpp = android::bytesPerPixel(buf->getPixelFormat());
   if (bpp > 0)

gfx/layers/opengl/GrallocTextureClient.cpp

@@ -36,6 +36,7 @@ GrallocTextureClientOGL::GrallocTextureClientOGL(ISurfaceAllocator* aAllocator,
                                                  gfx::BackendType aMoz2dBackend,
                                                  TextureFlags aFlags)
 : BufferTextureClient(aAllocator, aFormat, aMoz2dBackend, aFlags)
+, mGrallocHandle(null_t())
 , mMappedBuffer(nullptr)
 , mMediaBuffer(nullptr)
 {