diff options
author | Jamie Madill <jmadill@chromium.org> | 2022-04-11 12:29:00 -0400 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-03 20:16:55 +0000 |
commit | 4faa15cf23bcee983a9a211ac12efee802f01315 (patch) | |
tree | e1f085c73090b1917e470fe4d08cdf3aef10f7c5 | |
parent | 6355456348004fbe028a949a1c8e61e11885092c (diff) | |
download | qtwebengine-chromium-4faa15cf23bcee983a9a211ac12efee802f01315.tar.gz |
[Backport] CVE-2022-1477: Use after free in Vulkan
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3578378:
Add error check on resuming XFB with deleted buffer.
Bug: chromium:1305190
Change-Id: I22c6f6400b05ca32c922fba9a3b9d4b5841ca8b8
Auto-Submit: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/angle/src/libANGLE/validationES3.cpp | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/chromium/third_party/angle/src/libANGLE/validationES3.cpp b/chromium/third_party/angle/src/libANGLE/validationES3.cpp index 60073b03fcd..113712ab8ad 100644 --- a/chromium/third_party/angle/src/libANGLE/validationES3.cpp +++ b/chromium/third_party/angle/src/libANGLE/validationES3.cpp @@ -4383,6 +4383,13 @@ bool ValidateBindSampler(const Context *context, GLuint unit, SamplerID sampler) return false; } + if (!ValidateProgramExecutableXFBBuffersPresent(context, + context->getState().getProgramExecutable())) + { + context->validationError(entryPoint, GL_INVALID_OPERATION, kTransformFeedbackBufferMissing); + return false; + } + return true; } |