From cb43582f4a1519ed475a299de3305ac311ef0071 Mon Sep 17 00:00:00 2001
From: Shahbaz Youssefi <syoussefi@chromium.org>
Date: Mon, 31 Jan 2022 12:07:43 -0500
Subject: [Backport] CVE-2022-0606: Use after free in ANGLE

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3427561:
Vulkan: Fix vkCmdResolveImage extents

The source framebuffer's extents were accidentally used instead of the
blit area extents.

Bug: chromium:1288020
Change-Id: Ib723db50d9687fee0453d027141a94ea26d8a4b8
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../third_party/angle/src/libANGLE/renderer/vulkan/FramebufferVk.cpp  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/chromium/third_party/angle/src/libANGLE/renderer/vulkan/FramebufferVk.cpp b/chromium/third_party/angle/src/libANGLE/renderer/vulkan/FramebufferVk.cpp
index 57d49aedffb..80d9e866444 100644
--- a/chromium/third_party/angle/src/libANGLE/renderer/vulkan/FramebufferVk.cpp
+++ b/chromium/third_party/angle/src/libANGLE/renderer/vulkan/FramebufferVk.cpp
@@ -1436,8 +1436,8 @@ angle::Result FramebufferVk::resolveColorWithCommand(ContextVk *contextVk,
     resolveRegion.dstOffset.x                   = params.destOffset[0];
     resolveRegion.dstOffset.y                   = params.destOffset[1];
     resolveRegion.dstOffset.z                   = 0;
-    resolveRegion.extent.width                  = params.srcExtents[0];
-    resolveRegion.extent.height                 = params.srcExtents[1];
+    resolveRegion.extent.width                  = params.blitArea.width;
+    resolveRegion.extent.height                 = params.blitArea.height;
     resolveRegion.extent.depth                  = 1;
 
     vk::PerfCounters &perfCounters = contextVk->getPerfCounters();
-- 
cgit v1.2.1