[Backport] CVE-2020-6555: Out of bounds read in WebGL

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/2298145:
Fix stale validation cache on buffer deletion.

When we would delete the currently bound element array buffer we
would neglect to invalidate a specific validation cache variable.
This incorrectly would let us skip buffer size validation and lead
to internal invalid memory accesses.

Bug: chromium:1105202
Change-Id: I23ab28ccd3ac6b5d461cb8745b930f4d42d53b35
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

2 files changed, 2 insertions, 0 deletions

diff --git a/chromium/third_party/angle/src/libANGLE/Context.cpp b/chromium/third_party/angle/src/libANGLE/Context.cpp
index 90e80d92b57..f73391da2bd 100644
--- a/chromium/third_party/angle/src/libANGLE/Context.cpp
+++ b/chromium/third_party/angle/src/libANGLE/Context.cpp
@@ -8702,6 +8702,7 @@ void StateCache::onVertexArrayStateChange(Context *context)
     updateActiveAttribsMask(context);
     updateVertexElementLimits(context);
     updateBasicDrawStatesError();
+    updateBasicDrawElementsError();
 }
 
 void StateCache::onVertexArrayBufferStateChange(Context *context)
diff --git a/chromium/third_party/angle/src/libANGLE/Context.h b/chromium/third_party/angle/src/libANGLE/Context.h
index 5668bb4f6e8..e9f1cb80447 100644
--- a/chromium/third_party/angle/src/libANGLE/Context.h
+++ b/chromium/third_party/angle/src/libANGLE/Context.h
@@ -201,6 +201,7 @@ class StateCache final : angle::NonCopyable
     // 1. onActiveTransformFeedbackChange.
     // 2. onVertexArrayBufferStateChange.
     // 3. onBufferBindingChange.
+    // 4. onVertexArrayStateChange
     intptr_t getBasicDrawElementsError(Context *context) const
     {
         if (mCachedBasicDrawElementsError != kInvalidPointer)