diff options
author | Jamie Madill <jmadill@chromium.org> | 2022-04-19 17:01:20 -0400 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-20 15:37:15 +0000 |
commit | 3da777a1aac2dbeff5ab68e01b5006d97a1f2aea (patch) | |
tree | 60b83ade8ff663d93488b67720c3f968307a5044 | |
parent | b45abe6aea361b9041969b0479bbbef294a08ec4 (diff) | |
download | qtwebengine-chromium-3da777a1aac2dbeff5ab68e01b5006d97a1f2aea.tar.gz |
[Backport] CVE-2022-1639: Use after free in ANGLE
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3594250:
Fix validate state cache after XFB buffer deleted.
Bug: chromium:1317650
Change-Id: Iec9f1167c3b2957091dd0f4ef3efcfcd7c4bf3c0
Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
Auto-Submit: Jamie Madill <jmadill@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/angle/src/libANGLE/State.cpp | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/chromium/third_party/angle/src/libANGLE/State.cpp b/chromium/third_party/angle/src/libANGLE/State.cpp index 182709c348f..dc2b1728e3a 100644 --- a/chromium/third_party/angle/src/libANGLE/State.cpp +++ b/chromium/third_party/angle/src/libANGLE/State.cpp @@ -2115,10 +2115,7 @@ angle::Result State::detachBuffer(Context *context, const Buffer *buffer) if (curTransformFeedback) { ANGLE_TRY(curTransformFeedback->detachBuffer(context, bufferID)); - if (isTransformFeedbackActiveUnpaused()) - { - context->getStateCache().onActiveTransformFeedbackChange(context); - } + context->getStateCache().onActiveTransformFeedbackChange(context); } if (getVertexArray()->detachBuffer(context, bufferID)) |