Protect against integer overflows in the VertexBuffer class by validating the reserved space.

Issue 444 Signed-off-by: Jamie Madil Signed-off-by: Shannon Woods Author: Geoff Lang

Protect against integer overflows in the VertexBuffer class by validating the reserved space.
fe5b2726 · Geoff Lang · Shannon Woods · eadfd57b · fe5b2726 · fe5b2726
Commit fe5b2726 authored Jul 09, 2013 by Geoff Lang Committed by Shannon Woods Jul 19, 2013
Showing with 25 additions and 6 deletions

VertexBuffer.cpp src/libGLESv2/renderer/VertexBuffer.cpp +11 -2

VertexBuffer.h src/libGLESv2/renderer/VertexBuffer.h +1 -1

VertexDataManager.cpp src/libGLESv2/renderer/VertexDataManager.cpp +13 -3

No files found.
--- a/src/libGLESv2/renderer/VertexBuffer.cpp
+++ b/src/libGLESv2/renderer/VertexBuffer.cpp
@@ -107,9 +107,18 @@ int VertexBufferInterface::storeVertexAttributes(const gl::VertexAttribute &attr
    return oldWritePos;
 }
-void VertexBufferInterface::reserveVertexSpace(const gl::VertexAttribute &attribute, GLsizei count, GLsizei instances)
+bool VertexBufferInterface::reserveVertexSpace(const gl::VertexAttribute &attribute, GLsizei count, GLsizei instances)
 {
-    mReservedSpace += mVertexBuffer->getSpaceRequired(attribute, count, instances);
+    unsigned int requiredSpace = mVertexBuffer->getSpaceRequired(attribute, count, instances);
+    // Protect against integer overflow
+    if (mReservedSpace + requiredSpace < mReservedSpace)
+    {
+         return false;
+    }
+    mReservedSpace += requiredSpace;
+    return true;
 }
 VertexBuffer* VertexBufferInterface::getVertexBuffer() const

--- a/src/libGLESv2/renderer/VertexBuffer.h
+++ b/src/libGLESv2/renderer/VertexBuffer.h
@@ -60,7 +60,7 @@ class VertexBufferInterface
    VertexBufferInterface(rx::Renderer *renderer, bool dynamic);
    virtual ~VertexBufferInterface();
-    void reserveVertexSpace(const gl::VertexAttribute &attribute, GLsizei count, GLsizei instances);
+    bool reserveVertexSpace(const gl::VertexAttribute &attribute, GLsizei count, GLsizei instances);
    unsigned int getBufferSize() const;

--- a/src/libGLESv2/renderer/VertexDataManager.cpp
+++ b/src/libGLESv2/renderer/VertexDataManager.cpp
@@ -121,12 +121,18 @@ GLenum VertexDataManager::prepareVertexData(const gl::VertexAttribute attribs[],
                    if (staticBuffer->getBufferSize() == 0)
                    {
                        int totalCount = ElementsInBuffer(attribs[i], buffer->size());
-                        staticBuffer->reserveVertexSpace(attribs[i], totalCount, 0);
+                        if (!staticBuffer->reserveVertexSpace(attribs[i], totalCount, 0))
+                        {
+                            return GL_OUT_OF_MEMORY;
+                        }
                    }
                }
                else
                {
-                    mStreamingBuffer->reserveVertexSpace(attribs[i], count, instances);
+                    if (!mStreamingBuffer->reserveVertexSpace(attribs[i], count, instances))
+                    {
+                        return GL_OUT_OF_MEMORY;
+                    }
                }
            }
        }
@@ -218,7 +224,11 @@ GLenum VertexDataManager::prepareVertexData(const gl::VertexAttribute attribs[],
                if (memcmp(&mCurrentValue[i], &currentValues[i], sizeof(gl::VertexAttribCurrentValueData)) != 0)
                {
-                    buffer->reserveVertexSpace(attribs[i], 1, 0);
+                    if (!buffer->reserveVertexSpace(attribs[i], 1, 0))
+                    {
+                        return GL_OUT_OF_MEMORY;
+                    }
                    int streamOffset = buffer->storeVertexAttributes(attribs[i], currentValues[i], 0, 1, 0);
                    if (streamOffset == -1)
                    {