Validate pixel data array is enough for request by texImage3D and texSubImage3D

third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp

Index: third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp
diff --git a/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp b/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp
index 04a9eecec34188a5d07a5b0806378d7682cd9354..0ebe65a9a75c7524461058e906c249ea0e901345 100644
--- a/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp
+++ b/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp
@@ -4284,7 +4284,7 @@ void WebGLRenderingContextBase::texImage2D(GLenum target, GLint level, GLenum in
     GLenum format, GLenum type, DOMArrayBufferView* pixels)
 {
     if (isContextLost() || !validateTexFunc("texImage2D", NotTexSubImage2D, SourceArrayBufferView, target, level, internalformat, width, height, border, format, type, 0, 0)
-        || !validateTexFuncData("texImage2D", level, width, height, format, type, pixels, NullAllowed))
+        || !validateTexFuncData("texImage2D", level, width, height, 1, format, type, pixels, NullAllowed))
         return;
     void* data = pixels ? pixels->baseAddress() : 0;
     Vector<uint8_t> tempData;
@@ -4608,7 +4608,7 @@ void WebGLRenderingContextBase::texSubImage2D(GLenum target, GLint level, GLint
     GLenum format, GLenum type, DOMArrayBufferView* pixels)
 {
     if (isContextLost() || !validateTexFunc("texSubImage2D", TexSubImage2D, SourceArrayBufferView, target, level, 0, width, height, 0, format, type, xoffset, yoffset)
-        || !validateTexFuncData("texSubImage2D", level, width, height, format, type, pixels, NullNotAllowed))
+        || !validateTexFuncData("texSubImage2D", level, width, height, 1, format, type, pixels, NullNotAllowed))
         return;
     void* data = pixels->baseAddress();
     Vector<uint8_t> tempData;
@@ -5699,7 +5699,7 @@ bool WebGLRenderingContextBase::validateTexFuncParameters(const char* functionNa
     return true;
 }
 
-bool WebGLRenderingContextBase::validateTexFuncData(const char* functionName, GLint level, GLsizei width, GLsizei height, GLenum format, GLenum type, DOMArrayBufferView* pixels, NullDisposition disposition)
+bool WebGLRenderingContextBase::validateTexFuncData(const char* functionName, GLint level, GLsizei width, GLsizei height, GLsizei depth, GLenum format, GLenum type, DOMArrayBufferView* pixels, NullDisposition disposition)
 {
     // All calling functions check isContextLost, so a duplicate check is not needed here.
     if (!pixels) {
@@ -5777,6 +5777,7 @@ bool WebGLRenderingContextBase::validateTexFuncData(const char* functionName, GL
 
     unsigned totalBytesRequired;
     GLenum error = WebGLImageConversion::computeImageSizeInBytes(format, type, width, height, m_unpackAlignment, &totalBytesRequired, 0);
+    totalBytesRequired *= depth;

[Zhenyao Mo, 2015/11/12 02:01:20]

This is a bad hack.  You should add the |depth| into
WebGLImageConversion::computeImageSizeInBytes(). There you will see, *= isn't
safe.  We need to consider overflow.

[qiankun, 2015/11/12 05:46:19]

Thanks. I passed depth to  WebGLImageConversion::computeImageSizeInBytes() as a
parameter.

     if (error != GL_NO_ERROR) {
         synthesizeGLError(error, functionName, "invalid texture dimensions");
         return false;
@@ -5784,6 +5785,7 @@ bool WebGLRenderingContextBase::validateTexFuncData(const char* functionName, GL
     if (pixels->byteLength() < totalBytesRequired) {
         if (m_unpackAlignment != 1) {
             error = WebGLImageConversion::computeImageSizeInBytes(format, type, width, height, 1, &totalBytesRequired, 0);
+            totalBytesRequired *= depth;
             if (pixels->byteLength() == totalBytesRequired) {
                 synthesizeGLError(GL_INVALID_OPERATION, functionName, "ArrayBufferView not big enough for request with UNPACK_ALIGNMENT > 1");
                 return false;