D3D11: Fix out-of-range access with robust access.

src/libANGLE/params.cpp

@@ -100,7 +100,7 @@ GLint DrawCallParams::firstVertex() const
     return mFirstVertex;
 }
 
-GLsizei DrawCallParams::vertexCount() const
+size_t DrawCallParams::vertexCount() const
 {
     ASSERT(!isDrawElements() || mIndexRange.valid());
     return mVertexCount;
@@ -179,7 +179,7 @@ Error DrawCallParams::ensureIndexRangeResolved(const Context *context) const
 
     const IndexRange &indexRange = mIndexRange.value();
     mFirstVertex                 = mBaseVertex + static_cast<GLint>(indexRange.start);
-    mVertexCount                 = static_cast<GLsizei>(indexRange.vertexCount());
+    mVertexCount                 = indexRange.vertexCount();
 
     return NoError();
 }

src/libANGLE/params.h

@@ -98,7 +98,7 @@ class DrawCallParams final : angle::NonCopyable
     // This value is the sum of 'baseVertex' and the first indexed vertex for DrawElements calls.
     GLint firstVertex() const;
 
-    GLsizei vertexCount() const;
+    size_t vertexCount() const;
     GLsizei indexCount() const;
     GLint baseVertex() const;
     GLenum type() const;
@@ -113,6 +113,9 @@ class DrawCallParams final : angle::NonCopyable
     // ensureIndexRangeResolved must be called first.
     const IndexRange &getIndexRange() const;
 
+    template <typename T>
+    T getClampedVertexCount() const;
+
     template <EntryPoint EP, typename... ArgsT>
     static void Factory(DrawCallParams *objBuffer, ArgsT... args);
 
@@ -122,7 +125,7 @@ class DrawCallParams final : angle::NonCopyable
     GLenum mMode;
     mutable Optional<IndexRange> mIndexRange;
     mutable GLint mFirstVertex;
-    mutable GLsizei mVertexCount;
+    mutable size_t mVertexCount;
     GLint mIndexCount;
     GLint mBaseVertex;
     GLenum mType;
@@ -131,6 +134,13 @@ class DrawCallParams final : angle::NonCopyable
     const void *mIndirect;
 };
 
+template <typename T>
+T DrawCallParams::getClampedVertexCount() const
+{
+    constexpr size_t kMax = static_cast<size_t>(std::numeric_limits<T>::max());
+    return static_cast<T>(mVertexCount > kMax ? kMax : mVertexCount);
+}
+
 // Entry point funcs essentially re-map different entry point parameter arrays into
 // the format the parameter type class expects. For example, for HasIndexRange, for the
 // various indexed draw calls, they drop parameters that aren't useful and re-arrange

src/libANGLE/renderer/d3d/BufferD3D.cpp

@@ -160,10 +160,11 @@ void BufferD3D::invalidateStaticData(const gl::Context *context)
 }
 
 // Creates static buffers if sufficient used data has been left unmodified
-void BufferD3D::promoteStaticUsage(const gl::Context *context, int dataSize)
+void BufferD3D::promoteStaticUsage(const gl::Context *context, size_t dataSize)
 {
     if (mUsage == D3DBufferUsage::DYNAMIC)
     {
+        // Note: This is not a safe math operation. 'dataSize' can come from the app.
         mUnmodifiedDataUse += dataSize;
 
         if (mUnmodifiedDataUse > 3 * getSize())

src/libANGLE/renderer/d3d/BufferD3D.h

@@ -55,7 +55,7 @@ class BufferD3D : public BufferImpl
     virtual void initializeStaticData(const gl::Context *context);
     virtual void invalidateStaticData(const gl::Context *context);
 
-    void promoteStaticUsage(const gl::Context *context, int dataSize);
+    void promoteStaticUsage(const gl::Context *context, size_t dataSize);
 
     gl::Error getIndexRange(const gl::Context *context,
                             GLenum type,
@@ -80,7 +80,7 @@ class BufferD3D : public BufferImpl
     StaticIndexBufferInterface *mStaticIndexBuffer;
     unsigned int mStaticBufferCacheTotalSize;
     unsigned int mStaticVertexBufferOutOfDate;
-    unsigned int mUnmodifiedDataUse;
+    size_t mUnmodifiedDataUse;
     D3DBufferUsage mUsage;
 };
 

src/libANGLE/renderer/d3d/RendererD3D.h

@@ -95,7 +95,7 @@ class BufferFactoryD3D : angle::NonCopyable
     virtual gl::ErrorOrResult<unsigned int> getVertexSpaceRequired(
         const gl::VertexAttribute &attrib,
         const gl::VertexBinding &binding,
-        GLsizei count,
+        size_t count,
         GLsizei instances) const = 0;
 };
 

src/libANGLE/renderer/d3d/VertexBuffer.cpp

@@ -155,7 +155,7 @@ gl::Error StreamingVertexBufferInterface::storeDynamicAttribute(const gl::Vertex
                                                                 const gl::VertexBinding &binding,
                                                                 GLenum currentValueType,
                                                                 GLint start,
-                                                                GLsizei count,
+                                                                size_t count,
                                                                 GLsizei instances,
                                                                 unsigned int *outStreamOffset,
                                                                 const uint8_t *sourceData)
@@ -190,7 +190,7 @@ gl::Error StreamingVertexBufferInterface::storeDynamicAttribute(const gl::Vertex
 
 gl::Error StreamingVertexBufferInterface::reserveVertexSpace(const gl::VertexAttribute &attrib,
                                                              const gl::VertexBinding &binding,
-                                                             GLsizei count,
+                                                             size_t count,
                                                              GLsizei instances)
 {
     unsigned int requiredSpace = 0;

src/libANGLE/renderer/d3d/VertexBuffer.h

@@ -45,7 +45,7 @@ class VertexBuffer : angle::NonCopyable
                                             const gl::VertexBinding &binding,
                                             GLenum currentValueType,
                                             GLint start,
-                                            GLsizei count,
+                                            size_t count,
                                             GLsizei instances,
                                             unsigned int offset,
                                             const uint8_t *sourceData) = 0;
@@ -110,14 +110,14 @@ class StreamingVertexBufferInterface : public VertexBufferInterface
                                     const gl::VertexBinding &binding,
                                     GLenum currentValueType,
                                     GLint start,
-                                    GLsizei count,
+                                    size_t count,
                                     GLsizei instances,
                                     unsigned int *outStreamOffset,
                                     const uint8_t *sourceData);
 
     gl::Error reserveVertexSpace(const gl::VertexAttribute &attribute,
                                  const gl::VertexBinding &binding,
-                                 GLsizei count,
+                                 size_t count,
                                  GLsizei instances);
 
   private:

src/libANGLE/renderer/d3d/VertexDataManager.cpp

@@ -392,7 +392,7 @@ gl::Error VertexDataManager::storeDynamicAttribs(
     std::vector<TranslatedAttribute> *translatedAttribs,
     const gl::AttributesMask &dynamicAttribsMask,
     GLint start,
-    GLsizei count,
+    size_t count,
     GLsizei instances)
 {
     // Instantiating this class will ensure the streaming buffer is never left mapped.
@@ -434,7 +434,7 @@ void VertexDataManager::PromoteDynamicAttribs(
     const gl::Context *context,
     const std::vector<TranslatedAttribute> &translatedAttribs,
     const gl::AttributesMask &dynamicAttribsMask,
-    GLsizei count)
+    size_t count)
 {
     for (auto attribIndex : dynamicAttribsMask)
     {
@@ -445,16 +445,17 @@ void VertexDataManager::PromoteDynamicAttribs(
         gl::Buffer *buffer = binding.getBuffer().get();
         if (buffer)
         {
+            // Note: this multiplication can overflow. It should not be a security problem.
             BufferD3D *bufferD3D = GetImplAs<BufferD3D>(buffer);
             size_t typeSize      = ComputeVertexAttributeTypeSize(*dynamicAttrib.attribute);
-            bufferD3D->promoteStaticUsage(context, count * static_cast<int>(typeSize));
+            bufferD3D->promoteStaticUsage(context, count * typeSize);
         }
     }
 }
 
 gl::Error VertexDataManager::reserveSpaceForAttrib(const TranslatedAttribute &translatedAttrib,
                                                    GLint start,
-                                                   GLsizei count,
+                                                   size_t count,
                                                    GLsizei instances) const
 {
     ASSERT(translatedAttrib.attribute && translatedAttrib.binding);
@@ -467,8 +468,8 @@ gl::Error VertexDataManager::reserveSpaceForAttrib(const TranslatedAttribute &tr
     BufferD3D *bufferD3D = buffer ? GetImplAs<BufferD3D>(buffer) : nullptr;
     ASSERT(!bufferD3D || bufferD3D->getStaticVertexBuffer(attrib, binding) == nullptr);
 
-    size_t totalCount = gl::ComputeVertexBindingElementCount(
-        binding.getDivisor(), static_cast<size_t>(count), static_cast<size_t>(instances));
+    size_t totalCount = gl::ComputeVertexBindingElementCount(binding.getDivisor(), count,
+                                                             static_cast<size_t>(instances));
     // TODO(jiajia.qin@intel.com): force the index buffer to clamp any out of range indices instead
     // of invalid operation here.
     if (bufferD3D)
@@ -486,15 +487,14 @@ gl::Error VertexDataManager::reserveSpaceForAttrib(const TranslatedAttribute &tr
             return gl::InvalidOperation() << "Vertex buffer is not big enough for the draw call.";
         }
     }
-    return mStreamingBuffer->reserveVertexSpace(attrib, binding, static_cast<GLsizei>(totalCount),
-                                                instances);
+    return mStreamingBuffer->reserveVertexSpace(attrib, binding, totalCount, instances);
 }
 
 gl::Error VertexDataManager::storeDynamicAttrib(const gl::Context *context,
                                                 TranslatedAttribute *translated,
                                                 GLint start,
-                                                GLsizei count,
-                                                GLsizei instances)
+                                                size_t count,
+                                                GLsizei instances) const
 {
     ASSERT(translated->attribute && translated->binding);
     const auto &attrib  = *translated->attribute;
@@ -529,8 +529,8 @@ gl::Error VertexDataManager::storeDynamicAttrib(const gl::Context *context,
     translated->storage = nullptr;
     ANGLE_TRY_RESULT(mFactory->getVertexSpaceRequired(attrib, binding, 1, 0), translated->stride);
 
-    size_t totalCount = gl::ComputeVertexBindingElementCount(
-        binding.getDivisor(), static_cast<size_t>(count), static_cast<size_t>(instances));
+    size_t totalCount = gl::ComputeVertexBindingElementCount(binding.getDivisor(), count,
+                                                             static_cast<size_t>(instances));
 
     ANGLE_TRY(mStreamingBuffer->storeDynamicAttribute(
         attrib, binding, translated->currentValueType, firstVertexIndex,

src/libANGLE/renderer/d3d/VertexDataManager.h

@@ -105,14 +105,14 @@ class VertexDataManager : angle::NonCopyable
                                   std::vector<TranslatedAttribute> *translatedAttribs,
                                   const gl::AttributesMask &dynamicAttribsMask,
                                   GLint start,
-                                  GLsizei count,
+                                  size_t count,
                                   GLsizei instances);
 
     // Promote static usage of dynamic buffers.
     static void PromoteDynamicAttribs(const gl::Context *context,
                                       const std::vector<TranslatedAttribute> &translatedAttribs,
                                       const gl::AttributesMask &dynamicAttribsMask,
-                                      GLsizei count);
+                                      size_t count);
 
     gl::Error storeCurrentValue(const gl::VertexAttribCurrentValueData &currentValue,
                                 TranslatedAttribute *translated,
@@ -130,15 +130,15 @@ class VertexDataManager : angle::NonCopyable
     };
 
     gl::Error reserveSpaceForAttrib(const TranslatedAttribute &translatedAttrib,
-                                    GLsizei count,
                                     GLint start,
+                                    size_t count,
                                     GLsizei instances) const;
 
     gl::Error storeDynamicAttrib(const gl::Context *context,
                                  TranslatedAttribute *translated,
                                  GLint start,
-                                 GLsizei count,
-                                 GLsizei instances);
+                                 size_t count,
+                                 GLsizei instances) const;
 
     BufferFactoryD3D *const mFactory;
 

src/libANGLE/renderer/d3d/d3d11/InputLayoutCache.cpp

@@ -246,11 +246,12 @@ gl::Error InputLayoutCache::createInputLayout(
         // As per the spec for ANGLE_instanced_arrays, not all attributes can be instanced
         // simultaneously, so a non-instanced element must exist.
 
-        GLsizei numIndicesPerInstance = 0;
+        UINT numIndicesPerInstance = 0;
         if (drawCallParams.instances() > 0)
         {
             // This requires that the index range is resolved.
-            numIndicesPerInstance = drawCallParams.vertexCount();
+            // Note: Vertex indexes can be arbitrarily large.
+            numIndicesPerInstance = drawCallParams.getClampedVertexCount<UINT>();
         }
 
         for (size_t elementIndex = 0; elementIndex < inputElementCount; ++elementIndex)

src/libANGLE/renderer/d3d/d3d11/Renderer11.cpp

@@ -1403,7 +1403,7 @@ void *Renderer11::getD3DDevice()
 
 gl::Error Renderer11::drawArrays(const gl::Context *context, const gl::DrawCallParams &params)
 {
-    if (params.vertexCount() < mStateManager.getCurrentMinimumDrawCount())
+    if (params.vertexCount() < static_cast<size_t>(mStateManager.getCurrentMinimumDrawCount()))
     {
         return gl::NoError();
     }
@@ -1419,6 +1419,9 @@ gl::Error Renderer11::drawArrays(const gl::Context *context, const gl::DrawCallP
     GLsizei adjustedInstanceCount = GetAdjustedInstanceCount(program, params.instances());
     ProgramD3D *programD3D        = GetImplAs<ProgramD3D>(program);
 
+    // Note: vertex indexes can be arbitrarily large.
+    UINT clampedVertexCount = params.getClampedVertexCount<UINT>();
+
     if (programD3D->usesGeometryShader(params.mode()) &&
         glState.isTransformFeedbackActiveUnpaused())
     {
@@ -1430,11 +1433,11 @@ gl::Error Renderer11::drawArrays(const gl::Context *context, const gl::DrawCallP
 
         if (adjustedInstanceCount > 0)
         {
-            mDeviceContext->DrawInstanced(params.vertexCount(), adjustedInstanceCount, 0, 0);
+            mDeviceContext->DrawInstanced(clampedVertexCount, adjustedInstanceCount, 0, 0);
         }
         else
         {
-            mDeviceContext->Draw(params.vertexCount(), 0);
+            mDeviceContext->Draw(clampedVertexCount, 0);
         }
 
         rx::ShaderExecutableD3D *pixelExe = nullptr;
@@ -1458,24 +1461,24 @@ gl::Error Renderer11::drawArrays(const gl::Context *context, const gl::DrawCallP
 
         if (adjustedInstanceCount > 0)
         {
-            mDeviceContext->DrawInstanced(params.vertexCount(), adjustedInstanceCount, 0, 0);
+            mDeviceContext->DrawInstanced(clampedVertexCount, adjustedInstanceCount, 0, 0);
         }
         else
         {
-            mDeviceContext->Draw(params.vertexCount(), 0);
+            mDeviceContext->Draw(clampedVertexCount, 0);
         }
         return gl::NoError();
     }
 
     if (params.mode() == GL_LINE_LOOP)
     {
-        return drawLineLoop(context, params.vertexCount(), GL_NONE, nullptr, 0,
+        return drawLineLoop(context, clampedVertexCount, GL_NONE, nullptr, 0,
                             adjustedInstanceCount);
     }
 
     if (params.mode() == GL_TRIANGLE_FAN)
     {
-        return drawTriangleFan(context, params.vertexCount(), GL_NONE, nullptr, 0,
+        return drawTriangleFan(context, clampedVertexCount, GL_NONE, nullptr, 0,
                                adjustedInstanceCount);
     }
 
@@ -1486,11 +1489,11 @@ gl::Error Renderer11::drawArrays(const gl::Context *context, const gl::DrawCallP
     {
         if (adjustedInstanceCount == 0)
         {
-            mDeviceContext->Draw(params.vertexCount(), 0);
+            mDeviceContext->Draw(clampedVertexCount, 0);
         }
         else
         {
-            mDeviceContext->DrawInstanced(params.vertexCount(), adjustedInstanceCount, 0, 0);
+            mDeviceContext->DrawInstanced(clampedVertexCount, adjustedInstanceCount, 0, 0);
         }
         return gl::NoError();
     }
@@ -1503,7 +1506,7 @@ gl::Error Renderer11::drawArrays(const gl::Context *context, const gl::DrawCallP
     // D3D_PRIMITIVE_TOPOLOGY_TRIANGLELIST and DrawIndexedInstanced is called instead.
     if (adjustedInstanceCount == 0)
     {
-        mDeviceContext->DrawIndexedInstanced(6, params.vertexCount(), 0, 0, 0);
+        mDeviceContext->DrawIndexedInstanced(6, clampedVertexCount, 0, 0, 0);
         return gl::NoError();
     }
 
@@ -1516,7 +1519,7 @@ gl::Error Renderer11::drawArrays(const gl::Context *context, const gl::DrawCallP
     {
         ANGLE_TRY(
             mStateManager.updateVertexOffsetsForPointSpritesEmulation(params.baseVertex(), i));
-        mDeviceContext->DrawIndexedInstanced(6, params.vertexCount(), 0, 0, 0);
+        mDeviceContext->DrawIndexedInstanced(6, clampedVertexCount, 0, 0, 0);
     }
 
     // This required by updateVertexOffsets... above but is outside of the loop for speed.
@@ -1595,13 +1598,13 @@ gl::Error Renderer11::drawElements(const gl::Context *context, const gl::DrawCal
     // efficent code path. Instanced rendering of emulated pointsprites requires a loop to draw each
     // batch of points. An offset into the instanced data buffer is calculated and applied on each
     // iteration to ensure all instances are rendered correctly.
-    GLsizei elementsToRender = params.vertexCount();
+    UINT clampedVertexCount = params.getClampedVertexCount<UINT>();
 
     // Each instance being rendered requires the inputlayout cache to reapply buffers and offsets.
     for (GLsizei i = 0; i < params.instances(); i++)
     {
         ANGLE_TRY(mStateManager.updateVertexOffsetsForPointSpritesEmulation(startVertex, i));
-        mDeviceContext->DrawIndexedInstanced(6, elementsToRender, 0, 0, 0);
+        mDeviceContext->DrawIndexedInstanced(6, clampedVertexCount, 0, 0, 0);
     }
     mStateManager.invalidateVertexBuffer();
     return gl::NoError();
@@ -1653,7 +1656,7 @@ gl::Error Renderer11::drawElementsIndirect(const gl::Context *context,
 }
 
 gl::Error Renderer11::drawLineLoop(const gl::Context *context,
-                                   GLsizei count,
+                                   GLuint count,
                                    GLenum type,
                                    const void *indexPointer,
                                    int baseVertex,
@@ -1690,8 +1693,6 @@ gl::Error Renderer11::drawLineLoop(const gl::Context *context,
     }
 
     // Checked by Renderer11::applyPrimitiveType
-    ASSERT(count >= 0);
-
     if (static_cast<unsigned int>(count) + 1 >
         (std::numeric_limits<unsigned int>::max() / sizeof(unsigned int)))
     {
@@ -1737,7 +1738,7 @@ gl::Error Renderer11::drawLineLoop(const gl::Context *context,
 }
 
 gl::Error Renderer11::drawTriangleFan(const gl::Context *context,
-                                      GLsizei count,
+                                      GLuint count,
                                       GLenum type,
                                       const void *indices,
                                       int baseVertex,
@@ -3570,7 +3571,7 @@ GLenum Renderer11::getVertexComponentType(gl::VertexFormatType vertexFormatType)
 gl::ErrorOrResult<unsigned int> Renderer11::getVertexSpaceRequired(
     const gl::VertexAttribute &attrib,
     const gl::VertexBinding &binding,
-    GLsizei count,
+    size_t count,
     GLsizei instances) const
 {
     if (!attrib.enabled)

src/libANGLE/renderer/d3d/d3d11/Renderer11.h

@@ -342,7 +342,7 @@ class Renderer11 : public RendererD3D
     // function.
     gl::ErrorOrResult<unsigned int> getVertexSpaceRequired(const gl::VertexAttribute &attrib,
                                                            const gl::VertexBinding &binding,
-                                                           GLsizei count,
+                                                           size_t count,
                                                            GLsizei instances) const override;
 
     gl::Error readFromAttachment(const gl::Context *context,
@@ -460,13 +460,13 @@ class Renderer11 : public RendererD3D
     angle::WorkaroundsD3D generateWorkarounds() const override;
 
     gl::Error drawLineLoop(const gl::Context *context,
-                           GLsizei count,
+                           GLuint count,
                            GLenum type,
                            const void *indices,
                            int baseVertex,
                            int instances);
     gl::Error drawTriangleFan(const gl::Context *context,
-                              GLsizei count,
+                              GLuint count,
                               GLenum type,
                               const void *indices,
                               int baseVertex,

src/libANGLE/renderer/d3d/d3d11/VertexBuffer11.cpp

@@ -96,7 +96,7 @@ gl::Error VertexBuffer11::storeVertexAttributes(const gl::VertexAttribute &attri
                                                 const gl::VertexBinding &binding,
                                                 GLenum currentValueType,
                                                 GLint start,
-                                                GLsizei count,
+                                                size_t count,
                                                 GLsizei instances,
                                                 unsigned int offset,
                                                 const uint8_t *sourceData)

src/libANGLE/renderer/d3d/d3d11/VertexBuffer11.h

@@ -31,7 +31,7 @@ class VertexBuffer11 : public VertexBuffer
                                     const gl::VertexBinding &binding,
                                     GLenum currentValueType,
                                     GLint start,
-                                    GLsizei count,
+                                    size_t count,
                                     GLsizei instances,
                                     unsigned int offset,
                                     const uint8_t *sourceData) override;

src/libANGLE/renderer/d3d/d3d9/Renderer9.cpp

@@ -3007,7 +3007,7 @@ GLenum Renderer9::getVertexComponentType(gl::VertexFormatType vertexFormatType)
 
 gl::ErrorOrResult<unsigned int> Renderer9::getVertexSpaceRequired(const gl::VertexAttribute &attrib,
                                                                   const gl::VertexBinding &binding,
-                                                                  GLsizei count,
+                                                                  size_t count,
                                                                   GLsizei instances) const
 {
     if (!attrib.enabled)

src/libANGLE/renderer/d3d/d3d9/Renderer9.h

@@ -346,7 +346,7 @@ class Renderer9 : public RendererD3D
     // function.
     gl::ErrorOrResult<unsigned int> getVertexSpaceRequired(const gl::VertexAttribute &attrib,
                                                            const gl::VertexBinding &binding,
-                                                           GLsizei count,
+                                                           size_t count,
                                                            GLsizei instances) const override;
 
     gl::Error copyToRenderTarget(IDirect3DSurface9 *dest,

src/libANGLE/renderer/d3d/d3d9/VertexBuffer9.cpp

@@ -61,7 +61,7 @@ gl::Error VertexBuffer9::storeVertexAttributes(const gl::VertexAttribute &attrib
                                                const gl::VertexBinding &binding,
                                                GLenum currentValueType,
                                                GLint start,
-                                               GLsizei count,
+                                               size_t count,
                                                GLsizei instances,
                                                unsigned int offset,
                                                const uint8_t *sourceData)
@@ -71,8 +71,8 @@ gl::Error VertexBuffer9::storeVertexAttributes(const gl::VertexAttribute &attrib
         return gl::OutOfMemory() << "Internal vertex buffer is not initialized.";
     }
 
-    int inputStride = static_cast<int>(gl::ComputeVertexAttributeStride(attrib, binding));
-    int elementSize = static_cast<int>(gl::ComputeVertexAttributeTypeSize(attrib));
+    size_t inputStride = gl::ComputeVertexAttributeStride(attrib, binding);
+    size_t elementSize = gl::ComputeVertexAttributeTypeSize(attrib);
 
     DWORD lockFlags = mDynamicUsage ? D3DLOCK_NOOVERWRITE : 0;
 
@@ -105,7 +105,7 @@ gl::Error VertexBuffer9::storeVertexAttributes(const gl::VertexAttribute &attrib
 
     if (!needsConversion && inputStride == elementSize)
     {
-        size_t copySize = static_cast<size_t>(count) * static_cast<size_t>(inputStride);
+        size_t copySize = count * inputStride;
         memcpy(mapPtr, input, copySize);
     }
     else

src/libANGLE/renderer/d3d/d3d9/VertexBuffer9.h

@@ -28,7 +28,7 @@ class VertexBuffer9 : public VertexBuffer
                                     const gl::VertexBinding &binding,
                                     GLenum currentValueType,
                                     GLint start,
-                                    GLsizei count,
+                                    size_t count,
                                     GLsizei instances,
                                     unsigned int offset,
                                     const uint8_t *sourceData) override;

src/libANGLE/renderer/vulkan/VertexArrayVk.cpp

@@ -357,14 +357,17 @@ gl::Error VertexArrayVk::drawArrays(const gl::Context *context,
 
     ANGLE_TRY(onDraw(context, renderer, drawCallParams, drawNode, newCommandBuffer));
 
+    // Note: Vertex indexes can be arbitrarily large.
+    uint32_t clampedVertexCount = drawCallParams.getClampedVertexCount<uint32_t>();
+
     if (drawCallParams.mode() != GL_LINE_LOOP)
     {
-        commandBuffer->draw(drawCallParams.vertexCount(), 1, drawCallParams.firstVertex(), 0);
+        commandBuffer->draw(clampedVertexCount, 1, drawCallParams.firstVertex(), 0);
         return gl::NoError();
     }
 
     // Handle GL_LINE_LOOP drawArrays.
-    int lastVertex = drawCallParams.firstVertex() + drawCallParams.vertexCount();
+    size_t lastVertex = static_cast<size_t>(drawCallParams.firstVertex() + clampedVertexCount);
     if (!mLineLoopBufferFirstIndex.valid() || !mLineLoopBufferLastIndex.valid() ||
         mLineLoopBufferFirstIndex != drawCallParams.firstVertex() ||
         mLineLoopBufferLastIndex != lastVertex)
@@ -380,7 +383,7 @@ gl::Error VertexArrayVk::drawArrays(const gl::Context *context,
     commandBuffer->bindIndexBuffer(mCurrentElementArrayBufferHandle,
                                    mCurrentElementArrayBufferOffset, VK_INDEX_TYPE_UINT32);
 
-    vk::LineLoopHelper::Draw(drawCallParams.vertexCount(), commandBuffer);
+    vk::LineLoopHelper::Draw(clampedVertexCount, commandBuffer);
 
     return gl::NoError();
 }

src/libANGLE/renderer/vulkan/VertexArrayVk.h

@@ -120,8 +120,8 @@ class VertexArrayVk : public VertexArrayImpl
     vk::DynamicBuffer mDynamicIndexData;
 
     vk::LineLoopHelper mLineLoopHelper;
-    Optional<int> mLineLoopBufferFirstIndex;
-    Optional<int> mLineLoopBufferLastIndex;
+    Optional<GLint> mLineLoopBufferFirstIndex;
+    Optional<size_t> mLineLoopBufferLastIndex;
     bool mDirtyLineLoopTranslation;
 
     // Cache variable for determining whether or not to store new dependencies in the node.

src/libANGLE/renderer/vulkan/vk_helpers.cpp

@@ -379,8 +379,11 @@ gl::Error LineLoopHelper::getIndexBufferForDrawArrays(RendererVk *renderer,
                                            &offset, nullptr));
     *offsetOut = static_cast<VkDeviceSize>(offset);
 
+    uint32_t clampedVertexCount = drawCallParams.getClampedVertexCount<uint32_t>();
+
+    // Note: there could be an overflow in this addition.
     uint32_t unsignedFirstVertex = static_cast<uint32_t>(drawCallParams.firstVertex());
-    uint32_t vertexCount         = (drawCallParams.vertexCount() + unsignedFirstVertex);
+    uint32_t vertexCount         = (clampedVertexCount + unsignedFirstVertex);
     for (uint32_t vertexIndex = unsignedFirstVertex; vertexIndex < vertexCount; vertexIndex++)
     {
         *indices++ = vertexIndex;
@@ -469,9 +472,10 @@ void LineLoopHelper::destroy(VkDevice device)
 }
 
 // static
-void LineLoopHelper::Draw(int count, CommandBuffer *commandBuffer)
+void LineLoopHelper::Draw(uint32_t count, CommandBuffer *commandBuffer)
 {
     // Our first index is always 0 because that's how we set it up in createIndexBuffer*.
+    // Note: this could theoretically overflow and wrap to zero.
     commandBuffer->drawIndexed(count + 1, 1, 0, 0, 0);
 }
 

src/libANGLE/renderer/vulkan/vk_helpers.h

@@ -152,7 +152,7 @@ class LineLoopHelper final : public vk::CommandGraphResource
 
     void destroy(VkDevice device);
 
-    static void Draw(int count, CommandBuffer *commandBuffer);
+    static void Draw(uint32_t count, CommandBuffer *commandBuffer);
 
   private:
     DynamicBuffer mDynamicIndexBuffer;

src/tests/gl_tests/RobustBufferAccessBehaviorTest.cpp

@@ -258,6 +258,46 @@ void main()
     EXPECT_PIXEL_COLOR_EQ(0, 0, GLColor::green);
 }
 
+// Covers drawing with a very large vertex range which overflows GLsizei. http://crbug.com/842028
+TEST_P(RobustBufferAccessBehaviorTest, VeryLargeVertexCountWithDynamicVertexData)
+{
+    ANGLE_SKIP_TEST_IF(!initExtension());
+    ANGLE_SKIP_TEST_IF(!extensionEnabled("GL_OES_element_index_uint"));
+
+    constexpr GLsizei kIndexCount           = 32;
+    std::array<GLuint, kIndexCount> indices = {{}};
+    for (GLsizei index = 0; index < kIndexCount; ++index)
+    {
+        indices[index] = ((std::numeric_limits<GLuint>::max() - 2) / kIndexCount) * index;
+    }
+
+    GLBuffer indexBuffer;
+    glBindBuffer(GL_ELEMENT_ARRAY_BUFFER, indexBuffer);
+    glBufferData(GL_ELEMENT_ARRAY_BUFFER, indices.size() * sizeof(GLuint), indices.data(),
+                 GL_STATIC_DRAW);
+
+    std::array<GLfloat, 256> vertexData = {{}};
+
+    GLBuffer vertexBuffer;
+    glBindBuffer(GL_ARRAY_BUFFER, vertexBuffer);
+    glBufferData(GL_ARRAY_BUFFER, vertexData.size() * sizeof(GLfloat), vertexData.data(),
+                 GL_DYNAMIC_DRAW);
+
+    ANGLE_GL_PROGRAM(program, essl1_shaders::vs::Simple(), essl1_shaders::fs::Red());
+    glUseProgram(program);
+
+    GLint attribLoc = glGetAttribLocation(program, essl1_shaders::PositionAttrib());
+    ASSERT_NE(-1, attribLoc);
+
+    glVertexAttribPointer(attribLoc, 2, GL_FLOAT, GL_FALSE, 0, nullptr);
+    glEnableVertexAttribArray(attribLoc);
+    ASSERT_GL_NO_ERROR();
+
+    glDrawElements(GL_TRIANGLES, kIndexCount, GL_UNSIGNED_INT, nullptr);
+
+    // This may or may not generate an error, but it should not crash.
+}
+
 ANGLE_INSTANTIATE_TEST(RobustBufferAccessBehaviorTest,
                        ES2_D3D9(),
                        ES2_D3D11_FL9_3(),

src/tests/perf_tests/IndexDataManagerTest.cpp

@@ -58,7 +58,7 @@ class MockBufferFactoryD3D : public rx::BufferFactoryD3D
     MOCK_CONST_METHOD4(getVertexSpaceRequired,
                        gl::ErrorOrResult<unsigned int>(const gl::VertexAttribute &,
                                                        const gl::VertexBinding &,
-                                                       GLsizei,
+                                                       size_t,
                                                        GLsizei));
 
     // Dependency injection