Supress integer-overflow in TexSubImage2D(3D)Impl

gpu/command_buffer/client/gles2_implementation.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // A class to emulate GLES2 over command buffers.
 
 #include "gpu/command_buffer/client/gles2_implementation.h"
 
 #include <GLES2/gl2.h>
 #include <GLES2/gl2ext.h>
 #include <GLES2/gl2extchromium.h>
 #include <GLES3/gl3.h>
 #include <stddef.h>
 #include <stdint.h>
 #include <algorithm>
 #include <map>
 #include <set>
 #include <sstream>
 #include <string>
 #include "base/atomic_sequence_num.h"
 #include "base/compiler_specific.h"
+#include "base/numerics/safe_math.h"
 #include "base/strings/string_split.h"
 #include "base/strings/stringprintf.h"
 #include "base/sys_info.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/trace_event/memory_allocator_dump.h"
 #include "base/trace_event/memory_dump_manager.h"
 #include "base/trace_event/process_memory_dump.h"
 #include "base/trace_event/trace_event.h"
 #include "gpu/command_buffer/client/buffer_tracker.h"
 #include "gpu/command_buffer/client/gles2_cmd_helper.h"
@@ skipping 3027 matching lines @@
     GLint num_rows = ComputeNumRowsThatFitInBuffer(
         buffer_padded_row_size, unpadded_row_size, buffer->size(), height);
     num_rows = std::min(num_rows, height);
     CopyRectToBuffer(
         source, num_rows, unpadded_row_size, pixels_padded_row_size,
         buffer->address(), buffer_padded_row_size);
     helper_->TexSubImage2D(
         target, level, xoffset, yoffset, width, num_rows, format, type,
         buffer->shm_id(), buffer->offset(), internal);
     buffer->Release();
-    yoffset += num_rows;
+    base::CheckedNumeric<GLint> updated_yoffset = yoffset;
+    updated_yoffset += num_rows;
+    yoffset = updated_yoffset.ValueOrDefault(std::numeric_limits<int>::max());

[Zhenyao Mo, 2016/09/07 02:15:16]

Can we generate an INVALID_VALUE instead?

[xidachen, 2016/09/07 12:23:00]

I used GL_INVALID_VALUE. So do we have checks somewhere to make sure that we
abort or doing something when we see that yoffset becomes GL_INVALID_VALUE?

     source += num_rows * pixels_padded_row_size;
     height -= num_rows;
   }
 }
 
 void GLES2Implementation::TexSubImage3DImpl(GLenum target,
                                             GLint level,
                                             GLint xoffset,
                                             GLint yoffset,
                                             GLsizei zoffset,
@@ skipping 71 matching lines @@
             source + ii * image_size_src, my_height, unpadded_row_size,
             pixels_padded_row_size, buffer_pointer + ii * image_size_dst,
             buffer_padded_row_size);
       }
     } else {
       CopyRectToBuffer(
           source, my_height, unpadded_row_size, pixels_padded_row_size,
           buffer->address(), buffer_padded_row_size);
     }
     helper_->TexSubImage3D(
         target, level, xoffset, yoffset + row_index, zoffset + depth_index,

[Zhenyao Mo, 2016/09/07 02:15:16]

Here, should we worry about overflow also?

[xidachen, 2016/09/07 12:23:00]

Ah, I totally missed that. Added in the new patch.

         width, my_height, my_depth,
         format, type, buffer->shm_id(), buffer->offset(), internal);
     buffer->Release();
 
     total_rows -= num_rows;
     if (total_rows > 0) {
       GLint num_image_paddings;
       if (num_images > 0) {
         DCHECK_EQ(row_index, 0);
         depth_index += num_images;
@@ skipping 3723 matching lines @@
   cached_extensions_.clear();
 }
 
 // Include the auto-generated part of this file. We split this because it means
 // we can easily edit the non-auto generated parts right here in this file
 // instead of having to edit some template or the code generator.
 #include "gpu/command_buffer/client/gles2_implementation_impl_autogen.h"
 
 }  // namespace gles2
 }  // namespace gpu