[Backport] CVE-2022-0789: Heap buffer overflow in ANGLE

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/angle/angle/+/3441309: M99: Vulkan: Fix texture array level redefinition When a level of a texture is redefined, all staged updates to that level should be removed, not the ones specific to the new layers. The bug fixed was that if the texture was redefined to have its number of layers changed, the staged higher-layer-count update to the image was not removed. Bug: chromium:1289383 Change-Id: Iab79c38d846d1abbdd92e11b1b60a3adf0fbde4c Reviewed-by: Lingfeng Yang <lfy@google.com> Reviewed-by: Jamie Madill <jmadill@chromium.org> Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Shahbaz Youssefi <syoussefi@chromium.org> 2022-01-25 12:15:16 -0500
committer: Michael Brüning <michael.bruning@qt.io> 2022-05-03 20:14:48 +0000
commit: 3a0d560d3c1b8b21afc792dde24fd7aa5ccac31b (patch)
tree: 2ffbcff411365743279070a4523e3553bcbd4ea5
parent: fb0edb35aea02b69ce9deb3c3a25abc816c3c313 (diff)
download: qtwebengine-chromium-3a0d560d3c1b8b21afc792dde24fd7aa5ccac31b.tar.gz
1 files changed, 16 insertions, 3 deletions
diff --git a/chromium/third_party/angle/src/libANGLE/renderer/vulkan/TextureVk.cpp b/chromium/third_party/angle/src/libANGLE/renderer/vulkan/TextureVk.cpp
index fb0e4864f45..d3ac999806f 100644
--- a/chromium/third_party/angle/src/libANGLE/renderer/vulkan/TextureVk.cpp
+++ b/chromium/third_party/angle/src/libANGLE/renderer/vulkan/TextureVk.cpp
@@ -1558,12 +1558,25 @@ angle::Result TextureVk::redefineLevel(const gl::Context *context,
 
     if (mImage != nullptr)
     {
-        // If there is any staged changes for this index, we can remove them since we're going to
+        // If there are any staged changes for this index, we can remove them since we're going to
         // override them with this call.
         gl::LevelIndex levelIndexGL(index.getLevelIndex());
         uint32_t layerIndex = index.hasLayer() ? index.getLayerIndex() : 0;
-        mImage->removeSingleSubresourceStagedUpdates(contextVk, levelIndexGL, layerIndex,
-                                                     index.getLayerCount());
+        if (gl::IsArrayTextureType(index.getType()))
+        {
+            // A multi-layer texture is being redefined, remove all updates to this level; the
+            // number of layers may have changed.
+            mImage->removeStagedUpdates(contextVk, levelIndexGL, levelIndexGL);
+        }
+        else
+        {
+            // Otherwise remove only updates to this layer.  For example, cube map updates can be
+            // done through glTexImage2D, one per cube face (i.e. layer) and so should not remove
+            // updates to the other layers.
+            ASSERT(index.getLayerCount() == 1);
+            mImage->removeSingleSubresourceStagedUpdates(contextVk, levelIndexGL, layerIndex,
+                                                         index.getLayerCount());
+        }
 
         if (mImage->valid())
         {
author	Shahbaz Youssefi <syoussefi@chromium.org>	2022-01-25 12:15:16 -0500
committer	Michael Brüning <michael.bruning@qt.io>	2022-05-03 20:14:48 +0000
commit	3a0d560d3c1b8b21afc792dde24fd7aa5ccac31b (patch)
tree	2ffbcff411365743279070a4523e3553bcbd4ea5
parent	fb0edb35aea02b69ce9deb3c3a25abc816c3c313 (diff)
download	qtwebengine-chromium-3a0d560d3c1b8b21afc792dde24fd7aa5ccac31b.tar.gz