Set gl::Buffer to zero size when allocations fail.

It's undefined what happens if we run into OOM errors when allocating new resources. To guard against fuzzer issues we can set the buffer size internally to zero when an allocation fails. This should prevent GL APIs from reading from the buffer when the contents are internally inconsistent. Bug: chromium:1086532 Change-Id: I9ac4becf977bf0521208b2220caba788c21c93f1 Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/2219137 Commit-Queue: Jamie Madill <jmadill@chromium.org> Reviewed-by: Geoff Lang <geofflang@chromium.org>

Set gl::Buffer to zero size when allocations fail.
8470b533 · Jamie Madill · Commit Bot · 3c00eee2 · 8470b533
Commit 8470b533 authored May 28, 2020 by Jamie Madill Committed by Commit Bot May 29, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 1 deletion

Buffer.cpp src/libANGLE/Buffer.cpp +11 -1

No files found.
--- a/src/libANGLE/Buffer.cpp
+++ b/src/libANGLE/Buffer.cpp
@@ -87,7 +87,17 @@ angle::Result Buffer::bufferData(Context *context,
        dataForImpl = scratchBuffer->data();
    }
-    ANGLE_TRY(mImpl->setData(context, target, dataForImpl, size, usage));
+    if (mImpl->setData(context, target, dataForImpl, size, usage) == angle::Result::Stop)
+    {
+        // If setData fails, the buffer contents are undefined. Set a zero size to indicate that.
+        mIndexRangeCache.clear();
+        mState.mSize = 0;
+        // Notify when storage changes.
+        onStateChange(angle::SubjectMessage::SubjectChanged);
+        return angle::Result::Stop;
+    }
    mIndexRangeCache.clear();
    mState.mUsage = usage;