Restrict BlitFramebuffer dimensions in WebGL mode

Don't allow blitFramebuffer dimensions to overflow 32-bit integer range as specified in WebGL 2.0 section 5.41. BUG=chromium:830046 TEST=WebGL 2 conformance tests, angle_end2end_tests Change-Id: Ia232291b09c94e1e4f837441c6720a78bab672fb Reviewed-on: https://chromium-review.googlesource.com/1023856Reviewed-by: Geoff Lang <geofflang@chromium.org> Reviewed-by: Jamie Madill <jmadill@chromium.org> Commit-Queue: Jamie Madill <jmadill@chromium.org>

Restrict BlitFramebuffer dimensions in WebGL mode
8d5571ac · Olli Etuaho · Commit Bot · af2b33be · 8d5571ac · 8d5571ac
Commit 8d5571ac authored Apr 23, 2018 by Olli Etuaho Committed by Commit Bot Apr 23, 2018
Showing with 75 additions and 0 deletions

ErrorStrings.h src/libANGLE/ErrorStrings.h +1 -0

validationES.cpp src/libANGLE/validationES.cpp +20 -0

WebGLCompatibilityTest.cpp src/tests/gl_tests/WebGLCompatibilityTest.cpp +54 -0

No files found.
--- a/src/libANGLE/ErrorStrings.h
+++ b/src/libANGLE/ErrorStrings.h
@@ -16,6 +16,7 @@

 namespace gl
 {
+ERRMSG(BlitDimensionsOutOfRange, "BlitFramebuffer dimensions out of 32-bit integer range.");
 ERRMSG(BufferBoundForTransformFeedback, "Buffer is bound for transform feedback.");
 ERRMSG(BufferNotBound, "A buffer must be bound.");
 ERRMSG(CompressedTextureDimensionsMustMatchData,

--- a/src/libANGLE/validationES.cpp
+++ b/src/libANGLE/validationES.cpp
@@ -68,6 +68,16 @@ bool CompressedSubTextureFormatRequiresExactSize(GLenum internalFormat)
    return CompressedTextureFormatRequiresExactSize(internalFormat) ||
           IsETC2EACFormat(internalFormat);
 }
+
+bool DifferenceCanOverflow(GLint a, GLint b)
+{
+    CheckedNumeric<GLint> checkedA(a);
+    checkedA -= b;
+    // Use negation to make sure that the difference can't overflow regardless of the order.
+    checkedA = -checkedA;
+    return !checkedA.IsValid();
+}
+
 bool ValidateDrawAttribs(Context *context, GLint primcount, GLint maxVertex, GLint vertexCount)
 {
    const gl::State &state     = context->getGLState();
@@ -1298,6 +1308,16 @@ bool ValidateBlitFramebufferParameters(Context *context,
        return false;
    }

+    if (context->getExtensions().webglCompatibility)
+    {
+        if (DifferenceCanOverflow(srcX0, srcX1) || DifferenceCanOverflow(srcY0, srcY1) ||
+            DifferenceCanOverflow(dstX0, dstX1) || DifferenceCanOverflow(dstY0, dstY1))
+        {
+            ANGLE_VALIDATION_ERR(context, InvalidValue(), BlitDimensionsOutOfRange);
+            return false;
+        }
+    }
+
    bool sameBounds = srcX0 == dstX0 && srcY0 == dstY0 && srcX1 == dstX1 && srcY1 == dstY1;

    if (mask & GL_COLOR_BUFFER_BIT)

--- a/src/tests/gl_tests/WebGLCompatibilityTest.cpp
+++ b/src/tests/gl_tests/WebGLCompatibilityTest.cpp
@@ -4152,6 +4152,60 @@ TEST_P(WebGL2CompatibilityTest, TransformFeedbackCheckNullDeref)
    EXPECT_GL_ERROR(GL_INVALID_OPERATION);
 }

+// Test blitFramebuffer size overflow checks. WebGL 2.0 spec section 5.41.
+TEST_P(WebGL2CompatibilityTest, BlitFramebufferSizeOverflow)
+{
+    GLTexture textures[2];
+    glBindTexture(GL_TEXTURE_2D, textures[0]);
+    glTexStorage2D(GL_TEXTURE_2D, 3, GL_RGBA8, 4, 4);
+    glBindTexture(GL_TEXTURE_2D, textures[1]);
+    glTexStorage2D(GL_TEXTURE_2D, 3, GL_RGBA8, 4, 4);
+
+    GLFramebuffer framebuffers[2];
+    glBindFramebuffer(GL_READ_FRAMEBUFFER, framebuffers[0]);
+    glBindFramebuffer(GL_DRAW_FRAMEBUFFER, framebuffers[1]);
+
+    ASSERT_GL_NO_ERROR();
+
+    glFramebufferTexture2D(GL_READ_FRAMEBUFFER, GL_COLOR_ATTACHMENT0, GL_TEXTURE_2D, textures[0],
+                           0);
+    glFramebufferTexture2D(GL_DRAW_FRAMEBUFFER, GL_COLOR_ATTACHMENT0, GL_TEXTURE_2D, textures[1],
+                           0);
+    ASSERT_GL_NO_ERROR();
+
+    // srcX
+    glBlitFramebuffer(-1, 0, std::numeric_limits<GLint>::max(), 4, 0, 0, 4, 4, GL_COLOR_BUFFER_BIT,
+                      GL_NEAREST);
+    EXPECT_GL_ERROR(GL_INVALID_VALUE);
+    glBlitFramebuffer(std::numeric_limits<GLint>::max(), 0, -1, 4, 0, 0, 4, 4, GL_COLOR_BUFFER_BIT,
+                      GL_NEAREST);
+    EXPECT_GL_ERROR(GL_INVALID_VALUE);
+
+    // srcY
+    glBlitFramebuffer(0, -1, 4, std::numeric_limits<GLint>::max(), 0, 0, 4, 4, GL_COLOR_BUFFER_BIT,
+                      GL_NEAREST);
+    EXPECT_GL_ERROR(GL_INVALID_VALUE);
+    glBlitFramebuffer(0, std::numeric_limits<GLint>::max(), 4, -1, 0, 0, 4, 4, GL_COLOR_BUFFER_BIT,
+                      GL_NEAREST);
+    EXPECT_GL_ERROR(GL_INVALID_VALUE);
+
+    // dstX
+    glBlitFramebuffer(0, 0, 4, 4, -1, 0, std::numeric_limits<GLint>::max(), 4, GL_COLOR_BUFFER_BIT,
+                      GL_NEAREST);
+    EXPECT_GL_ERROR(GL_INVALID_VALUE);
+    glBlitFramebuffer(0, 0, 4, 4, std::numeric_limits<GLint>::max(), 0, -1, 4, GL_COLOR_BUFFER_BIT,
+                      GL_NEAREST);
+    EXPECT_GL_ERROR(GL_INVALID_VALUE);
+
+    // dstY
+    glBlitFramebuffer(0, 0, 4, 4, 0, -1, 4, std::numeric_limits<GLint>::max(), GL_COLOR_BUFFER_BIT,
+                      GL_NEAREST);
+    EXPECT_GL_ERROR(GL_INVALID_VALUE);
+    glBlitFramebuffer(0, 0, 4, 4, 0, std::numeric_limits<GLint>::max(), 4, -1, GL_COLOR_BUFFER_BIT,
+                      GL_NEAREST);
+    EXPECT_GL_ERROR(GL_INVALID_VALUE);
+}
+
 // Use this to select which configurations (e.g. which renderer, which GLES major version) these
 // tests should be run against.
 ANGLE_INSTANTIATE_TEST(WebGLCompatibilityTest,