Buffer11: Ensure we don't overflow on setData.

When mapping uniform buffers for very large buffers, we could end up copying past buffer bounds. This would trigger crashes on some configs. We can fix this by clamping the copy size correctly. BUG=chromium:659892 Change-Id: I9d1af984da34867692d4c7b8908c016ebec7a63b Reviewed-on: https://chromium-review.googlesource.com/404931Reviewed-by: Geoff Lang <geofflang@chromium.org> Reviewed-by: Jamie Madill <jmadill@chromium.org> Commit-Queue: Jamie Madill <jmadill@chromium.org>

Buffer11: Ensure we don't overflow on setData.
5677e4d1 · Jamie Madill · Commit Bot · 2bfc4119 · 5677e4d1
Commit 5677e4d1 authored Oct 28, 2016 by Jamie Madill Committed by Commit Bot Oct 28, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

Buffer11.cpp src/libANGLE/renderer/d3d/d3d11/Buffer11.cpp +6 -2

No files found.
--- a/src/libANGLE/renderer/d3d/d3d11/Buffer11.cpp
+++ b/src/libANGLE/renderer/d3d/d3d11/Buffer11.cpp
@@ -841,10 +841,14 @@ gl::Error Buffer11::BufferStorage::setData(const uint8_t *data, size_t offset, s
 {
    ASSERT(isMappable(GL_MAP_WRITE_BIT));
+    // Uniform storage can have a different internal size than the buffer size. Ensure we don't
+    // overflow.
+    size_t mapSize = std::min(size, mBufferSize - offset);
    uint8_t *writePointer = nullptr;
-    ANGLE_TRY(map(offset, size, GL_MAP_WRITE_BIT, &writePointer));
+    ANGLE_TRY(map(offset, mapSize, GL_MAP_WRITE_BIT, &writePointer));
-    memcpy(writePointer, data, size);
+    memcpy(writePointer, data, mapSize);
    unmap();