Skip to content

Commit 9705fdf

Browse files
vontureMichal Klocek
vonture
authored and
Michal Klocek
committed
[Backport] CVE-2025-1426: Heap buffer overflow in GPU
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/6258068: M132: Check query IDs before removing from active_queries_ glDeleteQueries was removing queries from active_queries_ if they matched the type of query being deleted. It also needed to check that the ID matches. This would cause issues later when the real active query was ended and did not exist in the map. (cherry picked from commit d8747107c91751884bdc5a297b29e6ba1785e7e5) Bug: 383465163 Change-Id: I1ea9d1b053324dbe86c8dceadd9e3b8aa2b41c64 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6226546 Reviewed-by: Zhenyao Mo <[email protected]> Commit-Queue: Geoff Lang <[email protected]> Cr-Original-Commit-Position: refs/heads/main@{#1416160} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6258068 Cr-Commit-Position: refs/branch-heads/6834@{#5225} Cr-Branched-From: 47a3549fac11ee8cb7be6606001ede605b302b9f-refs/heads/main@{#1381561} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/626260 Reviewed-by: Anu Aliyas <[email protected]>
1 parent 61e6739 commit 9705fdf

File tree

1 file changed

+5
-3
lines changed

1 file changed

+5
-3
lines changed

chromium/gpu/command_buffer/service/gles2_cmd_decoder_passthrough_doers.cc

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3843,8 +3843,10 @@ error::Error GLES2DecoderPassthroughImpl::DoDeleteQueriesEXT(
38433843
continue;
38443844
}
38453845

3846-
if (base::Contains(active_queries_, query_info.type)) {
3847-
active_queries_.erase(query_info.type);
3846+
auto active_query_iter = active_queries_.find(query_info.type);
3847+
if (active_query_iter != active_queries_.end() &&
3848+
active_query_iter->second.service_id == query_service_id) {
3849+
active_queries_.erase(active_query_iter);
38483850
}
38493851

38503852
RemovePendingQuery(query_service_id);
@@ -4030,7 +4032,7 @@ error::Error GLES2DecoderPassthroughImpl::DoEndQueryEXT(GLenum target,
40304032
}
40314033
}
40324034

4033-
DCHECK(active_queries_.find(target) != active_queries_.end());
4035+
CHECK(base::Contains(active_queries_, target));
40344036
ActiveQuery active_query = std::move(active_queries_[target]);
40354037
active_queries_.erase(target);
40364038

0 commit comments

Comments
 (0)