From 97b42ddbea7ebd7dd3e3624be34b59da92a3f497 Mon Sep 17 00:00:00 2001
From: chenyang <chenyang322@h-partners.com>
Date: Fri, 2 Feb 2024 16:18:25 +0800
Subject: [PATCH] =?UTF-8?q?fixed=204b9be6b=20from=20https://gitee.com/chen?=
 =?UTF-8?q?yang322/chromium=5Fcef/pulls/230=20=E4=BF=AE=E5=A4=8DCVE-2024-2?=
 =?UTF-8?q?1639,CVE-2024-21640?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: chenyang <chenyang322@h-partners.com>
---
 libcef/browser/osr/host_display_client_osr.cc | 20 ++++++++++++++-----
 libcef/browser/osr/video_consumer_osr.cc      |  5 +++++
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/libcef/browser/osr/host_display_client_osr.cc b/libcef/browser/osr/host_display_client_osr.cc
index ab3541844..2f2409d12 100644
--- a/libcef/browser/osr/host_display_client_osr.cc
+++ b/libcef/browser/osr/host_display_client_osr.cc
@@ -76,14 +76,24 @@ void CefLayeredWindowUpdaterOSR::OnAllocatedSharedMemory(
     base::UnsafeSharedMemoryRegion region) {
   // Make sure |pixel_size| is sane.
   size_t expected_bytes;
-  bool size_result = viz::ResourceSizes::MaybeSizeInBytes(
-      pixel_size, viz::ResourceFormat::RGBA_8888, &expected_bytes);
-  if (!size_result)
+  if (!viz::ResourceSizes::MaybeSizeInBytes(
+          pixel_size, viz::SinglePlaneFormat::kRGBA_8888, &expected_bytes)) {
+    DLOG(ERROR) << "OnAllocatedSharedMemory with size that overflows";
     return;
+  }
+
+  auto mapping = region.Map();
+  if (!mapping.IsValid()) {
+    DLOG(ERROR) << "Shared memory mapping failed.";
+    return;
+  }
+  if (mapping.size() < expected_bytes) {
+    DLOG(ERROR) << "Shared memory size was less than expected.";
+    return;
+  }
 
   pixel_size_ = pixel_size;
-  shared_memory_ = region.Map();
-  DCHECK(shared_memory_.IsValid());
+  shared_memory_ = std::move(mapping);
 }
 
 void CefLayeredWindowUpdaterOSR::Draw(const gfx::Rect& damage_rect,
diff --git a/libcef/browser/osr/video_consumer_osr.cc b/libcef/browser/osr/video_consumer_osr.cc
index d243049a6..dccc6315b 100644
--- a/libcef/browser/osr/video_consumer_osr.cc
+++ b/libcef/browser/osr/video_consumer_osr.cc
@@ -87,6 +87,11 @@ void CefVideoConsumerOSR::OnFrameCaptured(
         callbacks) {
   ScopedVideoFrameDone scoped_done(std::move(callbacks));
 
+  if (info->pixel_format != media::PIXEL_FORMAT_ARGB) {
+    DLOG(ERROR) << "Unsupported pixel format " << info->pixel_format;
+    return;
+  }
+
   CHECK(data->is_read_only_shmem_region());
   base::ReadOnlySharedMemoryRegion& shmem_region =
       data->get_read_only_shmem_region();
-- 
Gitee