[Backport] CVE-2021-30559: Out of bounds write in ANGLE

null77 · mibrunin · commit 113be2cea581 · 2021-09-03T12:04:59.000Z
Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/angle/angle/+/2961070: D3D11: Fix OOB write in Blit11. This could happen for specific values of the 'dest' target. Bug: chromium:1219082 Change-Id: Ic19a5dc4a95531f9513403ad9c97a4b4c5dc5a6f Reviewed-by: Jamie Madill <jmadill@chromium.org> Reviewed-by: Geoff Lang <geofflang@chromium.org> Commit-Queue: Jamie Madill <jmadill@chromium.org> Reviewed-by: Michal Klocek <michal.klocek@qt.io> (cherry picked from commit dcd69a3) Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
diff --git a/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp b/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp
@@ -60,12 +60,13 @@ void StretchedBlitNearest_RowByRow(const gl::Box &sourceArea,
                                    uint8_t *destData)
 {
     int srcHeightSubOne = (sourceArea.height - 1);
-    size_t copySize     = pixelSize * destArea.width;
+    size_t copySize     = pixelSize * clippedDestArea.width;
     size_t srcOffset    = sourceArea.x * pixelSize;
-    size_t destOffset   = destArea.x * pixelSize;
+    size_t destOffset   = clippedDestArea.x * pixelSize;
 
     for (int y = clippedDestArea.y; y < clippedDestArea.y + clippedDestArea.height; y++)
     {
+        // TODO: Fix divide by zero when height == 1. http://anglebug.com/6099
         float yPerc = static_cast<float>(y - destArea.y) / (destArea.height - 1);
 
         // Interpolate using the original source rectangle to determine which row to sample from

Original file line number	Diff line number	Diff line change
`@@ -60,12 +60,13 @@ void StretchedBlitNearest_RowByRow(const gl::Box &sourceArea,`
`60`	`60`	`uint8_t *destData)`
`61`	`61`	`{`
`62`	`62`	`int srcHeightSubOne = (sourceArea.height - 1);`
`63`		`- size_t copySize = pixelSize * destArea.width;`
	`63`	`+ size_t copySize = pixelSize * clippedDestArea.width;`
`64`	`64`	`size_t srcOffset = sourceArea.x * pixelSize;`
`65`		`- size_t destOffset = destArea.x * pixelSize;`
	`65`	`+ size_t destOffset = clippedDestArea.x * pixelSize;`
`66`	`66`
`67`	`67`	`for (int y = clippedDestArea.y; y < clippedDestArea.y + clippedDestArea.height; y++)`
`68`	`68`	`{`
	`69`	`+ // TODO: Fix divide by zero when height == 1. http://anglebug.com/6099`
`69`	`70`	`float yPerc = static_cast<float>(y - destArea.y) / (destArea.height - 1);`
`70`	`71`
`71`	`72`	`// Interpolate using the original source rectangle to determine which row to sample from`