summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJamie Madill <jmadill@chromium.org>2022-03-01 15:40:38 -0500
committerMichael BrĂ¼ning <michael.bruning@qt.io>2022-05-24 13:45:15 +0000
commit3e8444fbf852db7b5470e2088cec378547100215 (patch)
tree439163c661bf826b7a01720874943b4c7b6c4ee4
parent67fc041e76d301756c16858e97ba11db797bd68d (diff)
downloadqtwebengine-chromium-3e8444fbf852db7b5470e2088cec378547100215.tar.gz
[Backport] CVE-2022-0976: Heap buffer overflow in GPU
Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/angle/angle/+/3513754: Vulkan: Fix issue with redefining a layered attachment. The fix ensures we complete level redefinition before we get the layer render target in TextureVk::getAttachmentRenderTarget. Bug: chromium:1296866 Change-Id: I3ebe38f477fbb3eb4f0ad81634ccfb716f1699ca Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat
-rw-r--r--chromium/third_party/angle/src/libANGLE/renderer/vulkan/TextureVk.cpp20
1 files changed, 17 insertions, 3 deletions
diff --git a/chromium/third_party/angle/src/libANGLE/renderer/vulkan/TextureVk.cpp b/chromium/third_party/angle/src/libANGLE/renderer/vulkan/TextureVk.cpp
index d3ac999806f..b42f2316fc3 100644
--- a/chromium/third_party/angle/src/libANGLE/renderer/vulkan/TextureVk.cpp
+++ b/chromium/third_party/angle/src/libANGLE/renderer/vulkan/TextureVk.cpp
@@ -2132,6 +2132,15 @@ angle::Result TextureVk::getAttachmentRenderTarget(const gl::Context *context,
ContextVk *contextVk = vk::GetImpl(context);
+ if (mRedefinedLevels.any())
+ {
+ // If we have redefined levels, we must flush those out to fix the render targets.
+ ANGLE_TRY(respecifyImageStorage(contextVk));
+ }
+
+ // Otherwise, don't flush staged updates here. We'll handle that in FramebufferVk so we can
+ // defer clears.
+
if (!mImage->valid())
{
const gl::ImageDesc &baseLevelDesc = mState.getBaseLevelDesc();
@@ -2180,9 +2189,14 @@ angle::Result TextureVk::getAttachmentRenderTarget(const gl::Context *context,
ANGLE_TRY(initRenderTargets(contextVk, layerCount, gl::LevelIndex(imageIndex.getLevelIndex()),
renderToTextureIndex));
- ASSERT(imageIndex.getLevelIndex() <
- static_cast<int32_t>(mRenderTargets[renderToTextureIndex].size()));
- *rtOut = &mRenderTargets[renderToTextureIndex][imageIndex.getLevelIndex()][layerIndex];
+ std::vector<RenderTargetVector> &levelRenderTargets =
+ mRenderTargets[renderToTextureIndex];
+ ASSERT(imageIndex.getLevelIndex() < static_cast<int32_t>(levelRenderTargets.size()));
+
+ RenderTargetVector &layerRenderTargets = levelRenderTargets[imageIndex.getLevelIndex()];
+ ASSERT(imageIndex.getLayerIndex() < static_cast<int32_t>(layerRenderTargets.size()));
+
+ *rtOut = &layerRenderTargets[layerIndex];
return angle::Result::Continue;
}
View Lorry Controller Status