From 0ba10283fb3cbdf1cedea79d84e4bc3b720da6a1 Mon Sep 17 00:00:00 2001
From: Jeroen Dhollander <jeroendh@google.com>
Date: Fri, 3 Jun 2022 14:37:09 +0000
Subject: [PATCH] Fix memory corruption in BasicDesktopFrame::CopyTo

This memory corruption happens inside libyuv::CopyPlane()
on platforms that support AVX. I opened b/234824290 so the libyuv team
can investigate and fix this, but in the mean time we need to get this
fixed asap as this is causing crashes on both M102 (which is released to
stable) and M103 (which has this issue marked as beta blocking).

Fixed: b/234824290
Fixed: chromium:1330019
Test: Manually reproduced on zork board
Change-Id: I6bfd1e089020dfb23d974d3912d45c01a4e5ce26
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/265041
Auto-Submit: Jeroen Dhollander <jeroendh@google.com>
Commit-Queue: Alexander Cooper <alcooper@chromium.org>
Reviewed-by: Alexander Cooper <alcooper@chromium.org>
Cr-Commit-Position: refs/heads/main@{#37121}
---
 modules/desktop_capture/desktop_frame.cc | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/modules/desktop_capture/desktop_frame.cc b/modules/desktop_capture/desktop_frame.cc
index 6e24fab4b5..a215e413c7 100644
--- a/modules/desktop_capture/desktop_frame.cc
+++ b/modules/desktop_capture/desktop_frame.cc
@@ -13,6 +13,7 @@
 #include <string.h>
 
 #include <cmath>
+#include <cstring>
 #include <memory>
 #include <utility>
 
@@ -23,6 +24,15 @@
 
 namespace webrtc {
 
+namespace {
+
+// Calculate the size of the data buffer size used to store a BasicDesktopFrame.
+int CalculateDataSizeFor(const DesktopSize& size) {
+  return DesktopFrame::kBytesPerPixel * size.width() * size.height();
+}
+
+}  // namespace
+
 DesktopFrame::DesktopFrame(DesktopSize size,
                            int stride,
                            uint8_t* data,
@@ -147,7 +157,7 @@ void DesktopFrame::MoveFrameInfoFrom(DesktopFrame* other) {
 BasicDesktopFrame::BasicDesktopFrame(DesktopSize size)
     : DesktopFrame(size,
                    kBytesPerPixel * size.width(),
-                   new uint8_t[kBytesPerPixel * size.width() * size.height()](),
+                   new uint8_t[CalculateDataSizeFor(size)](),
                    nullptr) {}
 
 BasicDesktopFrame::~BasicDesktopFrame() {
@@ -157,9 +167,9 @@ BasicDesktopFrame::~BasicDesktopFrame() {
 // static
 DesktopFrame* BasicDesktopFrame::CopyOf(const DesktopFrame& frame) {
   DesktopFrame* result = new BasicDesktopFrame(frame.size());
-  libyuv::CopyPlane(frame.data(), frame.stride(), result->data(),
-                    result->stride(), frame.size().width() * kBytesPerPixel,
-                    frame.size().height());
+  // TODO(b/234824290): Using memcpy until libyuv::CopyPlane() is fixed to no
+  // longer introduce memory corruption on platforms that support AVX.
+  memcpy(result->data(), frame.data(), CalculateDataSizeFor(result->size()));
   result->CopyFrameInfoFrom(frame);
   return result;
 }