diff options
author | Geoff Lang <geofflang@google.com> | 2022-04-01 11:38:17 -0400 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-24 13:44:35 +0000 |
commit | bd6141bd6d1cdbfc535ccd62702446877865869f (patch) | |
tree | 47bbf3c80585b9886dcb3b496e29c4d91e33275b /chromium/third_party/angle/src/libANGLE/validationES2.cpp | |
parent | 3525521ad375fc4a0bf4b95b427d2f1dd0f016d2 (diff) | |
download | qtwebengine-chromium-bd6141bd6d1cdbfc535ccd62702446877865869f.tar.gz |
[Backport] Security bug 1298867
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3563515:
Fix CheckedNumeric using the wrong type.
Validation for glBufferSubData checks that the buffer is large enough
for size+offset but verifies they fit in a size_t which is a different
type than the deduced type for size+offset on 32-bit systems.
Use decltype to ensure that we always verify there is no overflow on the
correct type.
Bug: chromium:1298867
Change-Id: I82f534b2d227d3273a763e626ebeae068dc918dc
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Jonah Ryan-Davis <jonahr@google.com>
Commit-Queue: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/third_party/angle/src/libANGLE/validationES2.cpp')
-rw-r--r-- | chromium/third_party/angle/src/libANGLE/validationES2.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/third_party/angle/src/libANGLE/validationES2.cpp b/chromium/third_party/angle/src/libANGLE/validationES2.cpp index 10c4b087d2b..782d0b2dd41 100644 --- a/chromium/third_party/angle/src/libANGLE/validationES2.cpp +++ b/chromium/third_party/angle/src/libANGLE/validationES2.cpp @@ -3778,7 +3778,7 @@ bool ValidateBufferSubData(const Context *context, } // Check for possible overflow of size + offset - angle::CheckedNumeric<size_t> checkedSize(size); + angle::CheckedNumeric<decltype(size + offset)> checkedSize(size); checkedSize += offset; if (!checkedSize.IsValid()) { |