[Backport] CVE-2022-1477: Use after free in Vulkan

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3578378:
Add error check on resuming XFB with deleted buffer.

Bug: chromium:1305190
Change-Id: I22c6f6400b05ca32c922fba9a3b9d4b5841ca8b8
Auto-Submit: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 7 insertions, 0 deletions

diff --git a/chromium/third_party/angle/src/libANGLE/validationES3.cpp b/chromium/third_party/angle/src/libANGLE/validationES3.cpp
index 60073b03fcd..113712ab8ad 100644
--- a/chromium/third_party/angle/src/libANGLE/validationES3.cpp
+++ b/chromium/third_party/angle/src/libANGLE/validationES3.cpp
@@ -4383,6 +4383,13 @@ bool ValidateBindSampler(const Context *context, GLuint unit, SamplerID sampler)
         return false;
     }
 
+    if (!ValidateProgramExecutableXFBBuffersPresent(context,
+                                                    context->getState().getProgramExecutable()))
+    {
+        context->validationError(entryPoint, GL_INVALID_OPERATION, kTransformFeedbackBufferMissing);
+        return false;
+    }
+
     return true;
 }