From 04ff0203681d3e21a201084d39c29e6d44ef8358 Mon Sep 17 00:00:00 2001
From: Robert Phillips <robertphillips@google.com>
Date: Thu, 23 Apr 2026 12:57:10 -0400
Subject: [PATCH] [graphite] Fix a security issue in
 GlobalCache::findGraphicsPipeline

Bug: https://issues.chromium.org/issues/500393328
Change-Id: I35ad93eaba08fcb4c0896993ff857902622581a0
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/1217456
Commit-Queue: Robert Phillips <robertphillips@google.com>
Reviewed-by: Michael Ludwig <michaelludwig@google.com>
---
 src/gpu/graphite/GlobalCache.cpp | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

--- a/src/gpu/graphite/GlobalCache.cpp
+++ b/src/gpu/graphite/GlobalCache.cpp
@@ -177,31 +177,33 @@
     [[maybe_unused]] bool forPrecompile =
             SkToBool(pipelineCreationFlags & PipelineCreationFlags::kForPrecompilation);
 
-    sk_sp<GraphicsPipeline>* entry = nullptr;
+    sk_sp<GraphicsPipeline> result;
     {
         SkAutoSpinlock lock{fSpinLock};
 
-        entry = fGraphicsPipelineCache.find(key);
+        sk_sp<GraphicsPipeline>* entry = fGraphicsPipelineCache.find(key);
         if (entry) {
-            if ((*entry)->didAsyncCompilationFail()) SK_UNLIKELY {
+            result = *entry;
+
+            if (result->didAsyncCompilationFail()) SK_UNLIKELY {
                 // If the pipeline failed, remove it from the cache and let it be regenerated.
-                this->removeGraphicsPipeline((*entry).get());
+                this->removeGraphicsPipeline(result.get());
                 return nullptr;
             }
 #if defined(GPU_TEST_UTILS)
             ++fStats.fGraphicsCacheHits;
 #endif
 
-            if ((*entry)->epoch() != fEpochCounter) {
-                (*entry)->markEpoch(fEpochCounter);   // update epoch due to use in a new epoch
+            if (result->epoch() != fEpochCounter) {
+                result->markEpoch(fEpochCounter);   // update epoch due to use in a new epoch
                 ++fStats.fPipelineUsesInEpoch;
             }
-            if (!forPrecompile && (*entry)->fromPrecompile() && !(*entry)->wasUsed()) {
+            if (!forPrecompile && result->fromPrecompile() && !result->wasUsed()) {
                 ++fStats.fNormalPreemptedByPrecompile;
             }
 
-            (*entry)->updateAccessTime();
-            (*entry)->markUsed();
+            result->updateAccessTime();
+            result->markUsed();
 
 #if defined(SK_PIPELINE_LIFETIME_LOGGING)
             static const char* kNames[2] = { "CacheHitForN", "CacheHitForP" };
@@ -209,7 +211,7 @@
                                  TRACE_STR_STATIC(kNames[forPrecompile]),
                                  TRACE_EVENT_SCOPE_THREAD,
                                  "key", key.hash(),
-                                 "compilationID", (*entry)->getPipelineInfo().fCompilationID);
+                                 "compilationID", result->getPipelineInfo().fCompilationID);
 #endif
         } else {
 #if defined(GPU_TEST_UTILS)
@@ -234,12 +236,11 @@
         }
     }
 
-    if (entry) {
-        this->invokePipelineCallback(ContextOptions::PipelineCacheOp::kPipelineFound, entry->get());
-        return *entry;
+    if (result) {
+        this->invokePipelineCallback(ContextOptions::PipelineCacheOp::kPipelineFound, result.get());
     }
 
-    return nullptr;
+    return result;
 }
 
 #if SK_HISTOGRAMS_ENABLED
