Avoid possible overflow when computing ReadPixels bounds.

BUG=809881 Change-Id: I69c58c93597aea5a5c25298908592ce1ab4a957b Reviewed-on: https://chromium-review.googlesource.com/929984Reviewed-by: Luc Ferron <lucferron@chromium.org> Reviewed-by: Corentin Wallez <cwallez@chromium.org> Commit-Queue: Geoff Lang <geofflang@chromium.org>

Avoid possible overflow when computing ReadPixels bounds.
a953b527 · Geoff Lang · Commit Bot · 1dce1bd3 · a953b527
Commit a953b527 authored Feb 21, 2018 by Geoff Lang Committed by Commit Bot Feb 22, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 7 deletions

validationES.cpp src/libANGLE/validationES.cpp +28 -7

No files found.
--- a/src/libANGLE/validationES.cpp
+++ b/src/libANGLE/validationES.cpp
@@ -5273,7 +5273,7 @@ bool ValidateReadPixelsBase(Context *context,
        *length = static_cast<GLsizei>(endByte);
    }

-    auto getClippedExtent = [](GLint start, GLsizei length, int bufferSize) {
+    auto getClippedExtent = [](GLint start, GLsizei length, int bufferSize, GLsizei *outExtent) {
        angle::CheckedNumeric<int> clippedExtent(length);
        if (start < 0)
        {
@@ -5281,8 +5281,14 @@ bool ValidateReadPixelsBase(Context *context,
            clippedExtent += start;
        }

-        const int readExtent = start + length;
-        if (readExtent > bufferSize)
+        angle::CheckedNumeric<int> readExtent = start;
+        readExtent += length;
+        if (!readExtent.IsValid())
+        {
+            return false;
+        }
+
+        if (readExtent.ValueOrDie() > bufferSize)
        {
            // Subtract the region to the right of the read buffer
            clippedExtent -= (readExtent - bufferSize);
@@ -5290,20 +5296,35 @@ bool ValidateReadPixelsBase(Context *context,

        if (!clippedExtent.IsValid())
        {
-            return 0;
+            return false;
        }

-        return std::max(clippedExtent.ValueOrDie(), 0);
+        *outExtent = std::max(clippedExtent.ValueOrDie(), 0);
+        return true;
    };

+    GLsizei writtenColumns = 0;
+    if (!getClippedExtent(x, width, readBuffer->getSize().width, &writtenColumns))
+    {
+        ANGLE_VALIDATION_ERR(context, InvalidOperation(), IntegerOverflow);
+        return false;
+    }
+
+    GLsizei writtenRows = 0;
+    if (!getClippedExtent(y, height, readBuffer->getSize().height, &writtenRows))
+    {
+        ANGLE_VALIDATION_ERR(context, InvalidOperation(), IntegerOverflow);
+        return false;
+    }
+
    if (columns != nullptr)
    {
-        *columns = getClippedExtent(x, width, readBuffer->getSize().width);
+        *columns = writtenColumns;
    }

    if (rows != nullptr)
    {
-        *rows = getClippedExtent(y, height, readBuffer->getSize().height);
+        *rows = writtenRows;
    }

    return true;