WebGL: validations and fixes to avoid buffer/texture overflow

Source/modules/webgl/WebGL2RenderingContextBase.cpp

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "config.h"
 #include "modules/webgl/WebGL2RenderingContextBase.h"
 
 #include "bindings/modules/v8/WebGLAny.h"
 #include "core/html/HTMLCanvasElement.h"
 #include "core/html/HTMLImageElement.h"
@@ skipping 100 matching lines @@
     }
 
     WebGLBuffer* readBuffer = validateBufferDataTarget("copyBufferSubData", readTarget);
     if (!readBuffer)
         return;
 
     WebGLBuffer* writeBuffer = validateBufferDataTarget("copyBufferSubData", writeTarget);
     if (!writeBuffer)
         return;
 
+    if (readOffset + size > readBuffer->getSize() || writeOffset + size > writeBuffer->getSize()) {
+        synthesizeGLError(GL_INVALID_VALUE, "copyBufferSubData", "buffer overflow");
+        return;
+    }
+
     if ((writeBuffer->getInitialTarget() == GL_ELEMENT_ARRAY_BUFFER && readBuffer->getInitialTarget() != GL_ELEMENT_ARRAY_BUFFER)
         || (writeBuffer->getInitialTarget() != GL_ELEMENT_ARRAY_BUFFER && readBuffer->getInitialTarget() == GL_ELEMENT_ARRAY_BUFFER)) {
         synthesizeGLError(GL_INVALID_OPERATION, "copyBufferSubData", "Cannot copy into an element buffer destination from a non-element buffer source");
         return;
     }
 
     if (writeBuffer->getInitialTarget() == 0)
         writeBuffer->setInitialTarget(readBuffer->getInitialTarget());
 
     webContext()->copyBufferSubData(readTarget, writeTarget, static_cast<GLintptr>(readOffset), static_cast<GLintptr>(writeOffset), static_cast<GLsizeiptr>(size));
 }
 
 void WebGL2RenderingContextBase::getBufferSubData(GLenum target, long long offset, DOMArrayBuffer* returnedData)
 {
     if (isContextLost())
         return;
 
     if (!returnedData) {
         synthesizeGLError(GL_INVALID_VALUE, "getBufferSubData", "ArrayBuffer cannot be null");
         return;
     }
 
     if (!validateValueFitNonNegInt32("getBufferSubData", "offset", offset)) {
         return;
     }
 
+    WebGLBuffer* buffer = validateBufferDataTarget("getBufferSubData", target);
+    if (!buffer)
+        return;
+    if (offset + returnedData->byteLength() > buffer->getSize()) {
+        synthesizeGLError(GL_INVALID_VALUE, "getBufferSubData", "buffer overflow");
+        return;
+    }
+
     void* mappedData = webContext()->mapBufferRange(target, static_cast<GLintptr>(offset), returnedData->byteLength(), GL_MAP_READ_BIT);
 
     if (!mappedData)
         return;
 
     memcpy(returnedData->data(), mappedData, returnedData->byteLength());
 
     webContext()->unmapBuffer(target);
 }
 
@@ skipping 345 matching lines @@
         return false;
     }
 
     WebGLTexture* tex = validateTextureBinding(functionName, target, false);
     if (!tex)
         return false;
 
     if (!validateTexFuncLevel(functionName, target, level))
         return false;
 
-    if (width - xoffset > tex->getWidth(target, level)
-        || height - yoffset > tex->getHeight(target, level)
-        || depth - zoffset > tex->getDepth(target, level)) {
-        synthesizeGLError(GL_INVALID_OPERATION, functionName, "dimensions out of range");
+    // Before checking if it is in the range, check if overflow happens first.
+    Checked<GLint, RecordOverflow> maxX = xoffset, maxY = yoffset, maxZ = zoffset;
+    maxX += width;
+    maxY += height;
+    maxZ += depth;
+    if (maxX.hasOverflowed() || maxY.hasOverflowed() || maxZ.hasOverflowed()
+        || maxX.unsafeGet() > tex->getWidth(target, level)
+        || maxY.unsafeGet() > tex->getHeight(target, level)
+        || maxZ.unsafeGet() > tex->getDepth(target, level)) {
+        synthesizeGLError(GL_INVALID_VALUE, functionName, "dimensions out of range");
         return false;
     }
 
     GLenum internalformat = tex->getInternalFormat(target, level);
     if (!validateTexFuncFormatAndType(functionName, internalformat, format, type, level))
         return false;
 
     return true;
 }
 
@@ skipping 76 matching lines @@
     }
     if (m_unpackAlignment != 1)
         webContext()->pixelStorei(GL_UNPACK_ALIGNMENT, 1);
     webContext()->texSubImage3D(target, level, xoffset, yoffset, zoffset, pixels->width(), pixels->height(), 1, format, type, needConversion ? data.data() : pixels->data()->data());
     if (m_unpackAlignment != 1)
         webContext()->pixelStorei(GL_UNPACK_ALIGNMENT, m_unpackAlignment);
 }
 
 void WebGL2RenderingContextBase::texSubImage3D(GLenum target, GLint level, GLint xoffset, GLint yoffset, GLint zoffset, GLenum format, GLenum type, HTMLImageElement* image, ExceptionState& exceptionState)
 {
-    if (isContextLost() || !image || !validateTexSubImage3D("texSubImage3D", target, level, xoffset, yoffset, zoffset, format, type, image->width(), image->height(), 1))
-        return;
-
-    if (isContextLost() || !validateHTMLImageElement("texSubImage3D", image, exceptionState))
+    if (isContextLost() || !image || !validateHTMLImageElement("texSubImage3D", image, exceptionState))
         return;
 
     RefPtr<Image> imageForRender = image->cachedImage()->imageForLayoutObject(image->layoutObject());
     if (imageForRender->isSVGImage())
         imageForRender = drawImageIntoBuffer(imageForRender.get(), image->width(), image->height(), "texSubImage3D");
 
     texSubImage3DImpl(target, level, xoffset, yoffset, zoffset, format, type, imageForRender.get(), WebGLImageConversion::HtmlDomImage, m_unpackFlipY, m_unpackPremultiplyAlpha);
 }
 
 void WebGL2RenderingContextBase::texSubImage3D(GLenum target, GLint level, GLint xoffset, GLint yoffset, GLint zoffset, GLenum format, GLenum type, HTMLCanvasElement* canvas, ExceptionState& exceptionState)
@@ skipping 1048 matching lines @@
     bool deleted;
     if (!checkObjectToBeBound("bindBufferRange", buffer, deleted))
         return;
     if (deleted)
         buffer = 0;
     if (!validateValueFitNonNegInt32("bindBufferRange", "offset", offset)
         || !validateValueFitNonNegInt32("bindBufferRange", "size", size)) {
         return;
     }
 
-    if (!validateAndUpdateBufferBindBaseTarget("bindBufferRange", target, index, buffer))
+    if (buffer && (offset + size > buffer->getSize())) {
+        synthesizeGLError(GL_INVALID_VALUE, "bindBufferRange", "buffer overflow");
         return;
+    }
 
     webContext()->bindBufferRange(target, index, objectOrZero(buffer), static_cast<GLintptr>(offset), static_cast<GLsizeiptr>(size));
 }
 
 ScriptValue WebGL2RenderingContextBase::getIndexedParameter(ScriptState* scriptState, GLenum target, GLuint index)
 {
     if (isContextLost())
         return ScriptValue::createNull(scriptState);
 
     switch (target) {
@@ skipping 1027 matching lines @@
 GLenum WebGL2RenderingContextBase::boundFramebufferColorFormat()
 {
     if (m_readFramebufferBinding && m_readFramebufferBinding->object())
         return m_readFramebufferBinding->colorBufferFormat();
     if (m_requestedAttributes.alpha())
         return GL_RGBA;
     return GL_RGB;
 }
 
 } // namespace blink