[Backport] CVE-2021-30559: Out of bounds write in ANGLE

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/2961070:
D3D11: Fix OOB write in Blit11.

This could happen for specific values of the 'dest' target.

Bug: chromium:1219082
Change-Id: Ic19a5dc4a95531f9513403ad9c97a4b4c5dc5a6f
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 2 insertions, 2 deletions

diff --git a/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp b/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp
index 59b0e9468a4..0441ed5c400 100644
--- a/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp
+++ b/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp
@@ -111,9 +111,9 @@ void StretchedBlitNearest_RowByRow(const gl::Box &sourceArea,
                                    uint8_t *destData)
 {
     int srcHeightSubOne = (sourceArea.height - 1);
-    size_t copySize     = pixelSize * destArea.width;
+    size_t copySize     = pixelSize * clippedDestArea.width;
     size_t srcOffset    = sourceArea.x * pixelSize;
-    size_t destOffset   = destArea.x * pixelSize;
+    size_t destOffset   = clippedDestArea.x * pixelSize;
 
     for (int y = clippedDestArea.y; y < clippedDestArea.y + clippedDestArea.height; y++)
     {