diff options
author | Jamie Madill <jmadill@chromium.org> | 2022-03-14 10:37:31 -0400 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-03 20:17:03 +0000 |
commit | 0aa47bd2a81ddb206ac00bb48bc99d24bae89490 (patch) | |
tree | 84b753d24803900896a7c347bad6f02dcc4e886f | |
parent | 4faa15cf23bcee983a9a211ac12efee802f01315 (diff) | |
download | qtwebengine-chromium-0aa47bd2a81ddb206ac00bb48bc99d24bae89490.tar.gz |
[Backport] CVE-2022-1479: Use after free in ANGLE
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3522283:
Fix crash when pausing XFB then deleting a buffer.
Fix is to validate XFB buffer bindings even if we're paused.
This is undefined behaviour so we can use any non-crashing solution.
Bug: chromium:1305190
Change-Id: Ib95404cdb13adbde7f34d6cc77473a8b3cbf1de7
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/angle/src/libANGLE/validationES.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/third_party/angle/src/libANGLE/validationES.cpp b/chromium/third_party/angle/src/libANGLE/validationES.cpp index 053b40ced2d..751d7e6553a 100644 --- a/chromium/third_party/angle/src/libANGLE/validationES.cpp +++ b/chromium/third_party/angle/src/libANGLE/validationES.cpp @@ -3851,7 +3851,7 @@ const char *ValidateDrawStates(const Context *context) return kTessellationShaderRequiresBothControlAndEvaluation; } - if (state.isTransformFeedbackActiveUnpaused()) + if (state.isTransformFeedbackActive()) { if (!ValidateProgramExecutableXFBBuffersPresent(context, executable)) { |