diff options
author | Shahbaz Youssefi <syoussefi@chromium.org> | 2022-01-31 12:07:43 -0500 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-02-21 22:13:14 +0000 |
commit | cb43582f4a1519ed475a299de3305ac311ef0071 (patch) | |
tree | d22b19ae12e71d4049f76db2f9b63920db8101f1 /chromium | |
parent | f14277bbc0dbeb9422ab78b13d67bebdba037951 (diff) | |
download | qtwebengine-chromium-cb43582f4a1519ed475a299de3305ac311ef0071.tar.gz |
[Backport] CVE-2022-0606: Use after free in ANGLE
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3427561:
Vulkan: Fix vkCmdResolveImage extents
The source framebuffer's extents were accidentally used instead of the
blit area extents.
Bug: chromium:1288020
Change-Id: Ib723db50d9687fee0453d027141a94ea26d8a4b8
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'chromium')
-rw-r--r-- | chromium/third_party/angle/src/libANGLE/renderer/vulkan/FramebufferVk.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/chromium/third_party/angle/src/libANGLE/renderer/vulkan/FramebufferVk.cpp b/chromium/third_party/angle/src/libANGLE/renderer/vulkan/FramebufferVk.cpp index 57d49aedffb..80d9e866444 100644 --- a/chromium/third_party/angle/src/libANGLE/renderer/vulkan/FramebufferVk.cpp +++ b/chromium/third_party/angle/src/libANGLE/renderer/vulkan/FramebufferVk.cpp @@ -1436,8 +1436,8 @@ angle::Result FramebufferVk::resolveColorWithCommand(ContextVk *contextVk, resolveRegion.dstOffset.x = params.destOffset[0]; resolveRegion.dstOffset.y = params.destOffset[1]; resolveRegion.dstOffset.z = 0; - resolveRegion.extent.width = params.srcExtents[0]; - resolveRegion.extent.height = params.srcExtents[1]; + resolveRegion.extent.width = params.blitArea.width; + resolveRegion.extent.height = params.blitArea.height; resolveRegion.extent.depth = 1; vk::PerfCounters &perfCounters = contextVk->getPerfCounters(); |