Fix out-of-bounds reads in BlitFramebuffer.

This was a missing part of the validation. Makes us pass the WebGL test conformance2/rendering/blitframebuffer-outside-readbuffer. Was necessary for lazy robust resource init. BUG=angleproject:2107 BUG=chromium:644740 Change-Id: I54c50012fc09ec80a65a2e75f5bde05101c8a1a7 Reviewed-on: https://chromium-review.googlesource.com/663212Reviewed-by: Frank Henigman <fjhenigman@chromium.org> Reviewed-by: Yuly Novikov <ynovikov@chromium.org> Commit-Queue: Jamie Madill <jmadill@chromium.org>

Fix out-of-bounds reads in BlitFramebuffer.
096fd623 · Jamie Madill · Commit Bot · c9fed8dd · 096fd623
Commit 096fd623 authored Sep 12, 2017 by Jamie Madill Committed by Commit Bot Sep 12, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 0 deletions

Renderer11.cpp src/libANGLE/renderer/d3d/d3d11/Renderer11.cpp +39 -0

No files found.
--- a/src/libANGLE/renderer/d3d/d3d11/Renderer11.cpp
+++ b/src/libANGLE/renderer/d3d/d3d11/Renderer11.cpp
@@ -3363,6 +3363,31 @@ gl::Error Renderer11::blitRenderbufferRect(const gl::Context *context,
    // by internally scaling the read and draw rectangles.
    gl::Rectangle readRect = readRectIn;
    gl::Rectangle drawRect = drawRectIn;
+
+    auto flip = [](int val) { return val >= 0 ? 1 : -1; };
+
+    if (readRect.x > readSize.width && readRect.width < 0)
+    {
+        int delta = readRect.x - readSize.width;
+        readRect.x -= delta;
+        readRect.width += delta;
+
+        int drawDelta = delta * flip(drawRect.width);
+        drawRect.x += drawDelta;
+        drawRect.width -= drawDelta;
+    }
+
+    if (readRect.y > readSize.height && readRect.height < 0)
+    {
+        int delta = readRect.y - readSize.height;
+        readRect.y -= delta;
+        readRect.height += delta;
+
+        int drawDelta = delta * flip(drawRect.height);
+        drawRect.y += drawDelta;
+        drawRect.height -= drawDelta;
+    }
+
    auto readToDrawX       = [&drawRectIn, &readRectIn](int readOffset) {
        double readToDrawScale =
            static_cast<double>(drawRectIn.width) / static_cast<double>(readRectIn.width);
@@ -3413,6 +3438,20 @@ gl::Error Renderer11::blitRenderbufferRect(const gl::Context *context,
        drawRect.height += drawOffset;
    }

+    if (readRect.x1() > readSize.width)
+    {
+        int delta = readRect.x1() - readSize.width;
+        readRect.width -= delta;
+        drawRect.width -= delta * flip(drawRect.width);
+    }
+
+    if (readRect.y1() > readSize.height)
+    {
+        int delta = readRect.y1() - readSize.height;
+        readRect.height -= delta;
+        drawRect.height -= delta * flip(drawRect.height);
+    }
+
    bool scissorNeeded = scissor && gl::ClipRectangle(drawRect, *scissor, nullptr);

    const auto &destFormatInfo =