summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJamie Madill <jmadill@chromium.org>2022-05-02 15:42:23 -0400
committerMichael BrĂ¼ning <michael.bruning@qt.io>2022-07-25 16:36:20 +0000
commitce46a1995819e314b0913e1457800081aacdac1e (patch)
tree76088d0feea72d4ee9bd5aaed8df945e61192735
parent01ca651248da6fd6d6666d5b959d81858b25510f (diff)
downloadqtwebengine-chromium-ce46a1995819e314b0913e1457800081aacdac1e.tar.gz
[Backport] CVE-2022-1854: Use after free in ANGLE.
Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/angle/angle/+/3650697: [M102] Fix validation cache when deleting a Transform Feedback. Bug: chromium:1320024 Change-Id: I76ef85a3c65c663c138d8caebd4ef2c0da53cd4f Commit-Queue: Jamie Madill <jmadill@chromium.org> Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org> Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org> (cherry picked from commit 84e42c3b04da9e2c9d93d35bb6f2b1830fef22f4) Reviewed-by: Geoff Lang <geofflang@chromium.org> Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>i Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat
-rw-r--r--chromium/third_party/angle/src/libANGLE/Context.cpp1
1 files changed, 1 insertions, 0 deletions
diff --git a/chromium/third_party/angle/src/libANGLE/Context.cpp b/chromium/third_party/angle/src/libANGLE/Context.cpp
index ca8547e2057..8b7b51c81c4 100644
--- a/chromium/third_party/angle/src/libANGLE/Context.cpp
+++ b/chromium/third_party/angle/src/libANGLE/Context.cpp
@@ -2727,6 +2727,7 @@ void Context::detachTransformFeedback(TransformFeedbackID transformFeedback)
if (mState.removeTransformFeedbackBinding(this, transformFeedback))
{
bindTransformFeedback(GL_TRANSFORM_FEEDBACK, {0});
+ mStateCache.onActiveTransformFeedbackChange(this);
}
}
View Lorry Controller Status