[Backport] CVE-2020-6542: Use after free in ANGLE

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/2314216:
D3D11: Fix bug with static vertex attributes.

In some specific cases after binding a zero size buffer we could end
up trying to use a buffer storage that was no longer valid. Fix this
by ensuring we don't flush dirty bits when we have an early exit due
to a zero size buffer.

Also adds a regression test.

Bug: chromium:1107433
Change-Id: I9db560e8dd3699abed2bb7fe6d91060148ba1817
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 3 insertions, 2 deletions

diff --git a/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/VertexArray11.cpp b/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/VertexArray11.cpp
index 8fbb77a3082..e07b61a0ca1 100644
--- a/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/VertexArray11.cpp
+++ b/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/VertexArray11.cpp
@@ -249,8 +249,6 @@ angle::Result VertexArray11::updateDirtyAttribs(const gl::Context *context,
 
     for (size_t dirtyAttribIndex : activeDirtyAttribs)
     {
-        mAttribsToTranslate.reset(dirtyAttribIndex);
-
         auto *translatedAttrib   = &mTranslatedAttribs[dirtyAttribIndex];
         const auto &currentValue = glState.getVertexAttribCurrentValue(dirtyAttribIndex);
 
@@ -278,6 +276,9 @@ angle::Result VertexArray11::updateDirtyAttribs(const gl::Context *context,
                 UNREACHABLE();
                 break;
         }
+
+        // Make sure we reset the dirty bit after the switch because STATIC can early exit.
+        mAttribsToTranslate.reset(dirtyAttribIndex);
     }
 
     return angle::Result::Continue;