WebGL 2: validate read buffer attachment when reading from FBO

Source/core/html/canvas/WebGL2RenderingContextBase.cpp

Index: Source/core/html/canvas/WebGL2RenderingContextBase.cpp
diff --git a/Source/core/html/canvas/WebGL2RenderingContextBase.cpp b/Source/core/html/canvas/WebGL2RenderingContextBase.cpp
index 73963ac03302f8ecfec4700282f78e7884e43238..a7d1fbd74a057aaf4c78be61d89ed3d5d3a13332 100644
--- a/Source/core/html/canvas/WebGL2RenderingContextBase.cpp
+++ b/Source/core/html/canvas/WebGL2RenderingContextBase.cpp
@@ -168,6 +168,33 @@ void WebGL2RenderingContextBase::readBuffer(GLenum mode)
     if (isContextLost())
         return;
 
+    switch (mode) {
+    case GL_BACK:
+    case GL_NONE:
+    case GL_COLOR_ATTACHMENT0:
+        break;
+    default:
+        if (attachment > GL_COLOR_ATTACHMENT0
+            && attachment < static_cast<GLenum>(GL_COLOR_ATTACHMENT0 + maxColorAttachments()))
+            break;
+        synthesizeGLError(GL_INVALID_ENUM, "readBuffer", "invalid read buffer");
+        return;
+    }
+
+    WebGLFramebuffer* readFramebufferBinding = getFramebufferBinding(GL_READ_FRAMEBUFFER);
+    if (!readFramebufferBinding) {
+        ASSERT(drawingBuffer());
+        if (mode != GL_BACK || mode != GL_NONE) {
+            synthesizeGLError(GL_INVALID_OPERATION, "readBuffer", "invalid read buffer");
+            return;
+        }
+    } else {
+        if (mode == GL_BACK) {
+            synthesizeGLError(GL_INVALID_OPERATION, "readBuffer", "invalid read buffer");
+            return;
+        }
+        m_readbufferOfFBO = mode;
+    }
     webContext()->readBuffer(mode);
 }