Skip to content

S
swiftshader
Commit 16a2a922 by Nicolas Capens Committed by Nicolas Capens
Options

Validate pixel unpack buffer offset.

When a pixel unpack buffer is bound, glTexImage calls interpret the <pixels> parameter as an offset into the pixel buffer. We weren't validating that the accessed data falls within the buffer, when taking the offset into account. Bug chromium:822976 Change-Id: I3ab23e3b135fd4ad1e55555eec95d584684f5d82 Reviewed-on: https://swiftshader-review.googlesource.com/17928Tested-by: 's avatarNicolas Capens <nicolascapens@google.com> Reviewed-by: 's avatarAlexis Hétu <sugoi@google.com>
parent 9869bedb
Showing with 26 additions and 11 deletions
src/OpenGL/libGLESv2/Context.cpp
...@@ -1542,22 +1542,37 @@ GLsizei Context::getRequiredBufferSize(GLsizei width, GLsizei height, GLsizei de ...@@ -1542,22 +1542,37 @@ GLsizei Context::getRequiredBufferSize(GLsizei width, GLsizei height, GLsizei de
return inputPitch * inputHeight * depth; return inputPitch * inputHeight * depth;
} }
GLenum Context::getPixels(const GLvoid **data, GLenum type, GLsizei imageSize) const GLenum Context::getPixels(const GLvoid **pixels, GLenum type, GLsizei imageSize) const
{ {
if(mState.pixelUnpackBuffer) if(mState.pixelUnpackBuffer)
{ {
if(mState.pixelUnpackBuffer->name) ASSERT(mState.pixelUnpackBuffer->name != 0);
if(mState.pixelUnpackBuffer->isMapped())
{ {
if(mState.pixelUnpackBuffer->isMapped() || return GL_INVALID_OPERATION;
(mState.pixelUnpackBuffer->size() < static_cast<size_t>(imageSize)) || }
(static_cast<GLsizei>((ptrdiff_t)(*data)) % GetTypeSize(type)))
{ size_t offset = static_cast<size_t>((ptrdiff_t)(*pixels));
return GL_INVALID_OPERATION;
} if(offset % GetTypeSize(type) != 0)
{
return GL_INVALID_OPERATION;
} }
*data = static_cast<const unsigned char*>(mState.pixelUnpackBuffer->data()) + (ptrdiff_t)(*data); if(offset > mState.pixelUnpackBuffer->size())
{
return GL_INVALID_OPERATION;
}
if(mState.pixelUnpackBuffer->size() - offset < static_cast<size_t>(imageSize))
{
return GL_INVALID_OPERATION;
}
*pixels = static_cast<const unsigned char*>(mState.pixelUnpackBuffer->data()) + offset;
} }
return GL_NO_ERROR; return GL_NO_ERROR;
} }
......
src/OpenGL/libGLESv2/utilities.cpp
...@@ -1121,7 +1121,7 @@ namespace es2 ...@@ -1121,7 +1121,7 @@ namespace es2
return GL_NO_ERROR; return GL_NO_ERROR;
} }
GLsizei GetTypeSize(GLenum type) size_t GetTypeSize(GLenum type)
{ {
switch(type) switch(type)
{ {
......
src/OpenGL/libGLESv2/utilities.h
...@@ -58,7 +58,7 @@ namespace es2 ...@@ -58,7 +58,7 @@ namespace es2
int CubeFaceIndex(GLenum cubeTarget); int CubeFaceIndex(GLenum cubeTarget);
bool IsTextureTarget(GLenum target); bool IsTextureTarget(GLenum target);
GLenum ValidateTextureFormatType(GLenum format, GLenum type, GLint internalformat, GLenum target, GLint clientVersion); GLenum ValidateTextureFormatType(GLenum format, GLenum type, GLint internalformat, GLenum target, GLint clientVersion);
GLsizei GetTypeSize(GLenum type); size_t GetTypeSize(GLenum type);
bool IsColorRenderable(GLint internalformat, GLint clientVersion); bool IsColorRenderable(GLint internalformat, GLint clientVersion);
bool IsDepthRenderable(GLint internalformat, GLint clientVersion); bool IsDepthRenderable(GLint internalformat, GLint clientVersion);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment