diff options
author | Jamie Madill <jmadill@chromium.org> | 2021-06-14 11:27:27 -0400 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-11-10 18:21:41 +0000 |
commit | 439637e3aeab4b09bf441d395575a6e801af713d (patch) | |
tree | 8e89dd18cb6c1c2587ce6b9b867d4a720952ce96 | |
parent | 0c250ea50b94b68549ce4555bea7f9cdf6f6e69f (diff) | |
download | qtwebengine-chromium-439637e3aeab4b09bf441d395575a6e801af713d.tar.gz |
[Backport] CVE-2021-30559: Out of bounds write in ANGLE
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/2961070:
D3D11: Fix OOB write in Blit11.
This could happen for specific values of the 'dest' target.
Bug: chromium:1219082
Change-Id: Ic19a5dc4a95531f9513403ad9c97a4b4c5dc5a6f
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp b/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp index 59b0e9468a4..0441ed5c400 100644 --- a/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp +++ b/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp @@ -111,9 +111,9 @@ void StretchedBlitNearest_RowByRow(const gl::Box &sourceArea, uint8_t *destData) { int srcHeightSubOne = (sourceArea.height - 1); - size_t copySize = pixelSize * destArea.width; + size_t copySize = pixelSize * clippedDestArea.width; size_t srcOffset = sourceArea.x * pixelSize; - size_t destOffset = destArea.x * pixelSize; + size_t destOffset = clippedDestArea.x * pixelSize; for (int y = clippedDestArea.y; y < clippedDestArea.y + clippedDestArea.height; y++) { |