diff options
author | Jamie Madill <jmadill@chromium.org> | 2022-04-19 17:01:20 -0400 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-24 13:43:01 +0000 |
commit | f15c12d1b761129a370ae67ff4769fb3443166b8 (patch) | |
tree | 2c5c74a04b7b6bb942487f3d63d2e401b6e10c2d | |
parent | 1eef7ecd2c2c644f8abaa83ce77e663415c6ec43 (diff) | |
download | qtwebengine-chromium-f15c12d1b761129a370ae67ff4769fb3443166b8.tar.gz |
[Backport] CVE-2022-1639: Use after free in ANGLE
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3594250:
Fix validate state cache after XFB buffer deleted.
Bug: chromium:1317650
Change-Id: Iec9f1167c3b2957091dd0f4ef3efcfcd7c4bf3c0
Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
Auto-Submit: Jamie Madill <jmadill@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/angle/src/libANGLE/State.cpp | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/chromium/third_party/angle/src/libANGLE/State.cpp b/chromium/third_party/angle/src/libANGLE/State.cpp index 683cb0635cd..af92252fc08 100644 --- a/chromium/third_party/angle/src/libANGLE/State.cpp +++ b/chromium/third_party/angle/src/libANGLE/State.cpp @@ -2111,10 +2111,7 @@ angle::Result State::detachBuffer(Context *context, const Buffer *buffer) if (curTransformFeedback) { ANGLE_TRY(curTransformFeedback->detachBuffer(context, bufferID)); - if (isTransformFeedbackActiveUnpaused()) - { - context->getStateCache().onActiveTransformFeedbackChange(context); - } + context->getStateCache().onActiveTransformFeedbackChange(context); } if (getVertexArray()->detachBuffer(context, bufferID)) |