Supress integer-overflow in TexSubImage2D(3D)Impl

gpu/command_buffer/client/gles2_implementation.cc

Index: gpu/command_buffer/client/gles2_implementation.cc
diff --git a/gpu/command_buffer/client/gles2_implementation.cc b/gpu/command_buffer/client/gles2_implementation.cc
index aa3b18d4e783c28b8bb69de4ca9198c64856346c..f066b90e1d3d569037c605cb83913ef971327346 100644
--- a/gpu/command_buffer/client/gles2_implementation.cc
+++ b/gpu/command_buffer/client/gles2_implementation.cc
@@ -19,6 +19,7 @@
 #include <string>
 #include "base/atomic_sequence_num.h"
 #include "base/compiler_specific.h"
+#include "base/numerics/safe_math.h"
 #include "base/strings/string_split.h"
 #include "base/strings/stringprintf.h"
 #include "base/sys_info.h"
@@ -3066,7 +3067,13 @@ void GLES2Implementation::TexSubImage2DImpl(GLenum target,
         target, level, xoffset, yoffset, width, num_rows, format, type,
         buffer->shm_id(), buffer->offset(), internal);
     buffer->Release();
-    yoffset += num_rows;
+    base::CheckedNumeric<GLint> updated_yoffset = yoffset;
+    updated_yoffset += num_rows;
+    if (!updated_yoffset.IsValid()) {
+      SetGLError(GL_INVALID_VALUE, "TexSubImage2DImpl",
+          "yoffset + height overflows");

[piman, 2016/09/07 17:48:18]

Here and other places: we should return early and avoid issuing invalid
TexSubImage2DImpl. In particular it is not legitimate to write to yoffset=0 in
case of overflow, if the original request did not include those texels.

Technically, if we issue a GL error, we should not be filling any texel at all.
Could we check this overflow before calling TexSubImage2DImpl? Is there any case
where we would overflow here but not by checking overflow of yoffset+height?

+    }
+    yoffset = updated_yoffset.ValueOrDefault(0);
     source += num_rows * pixels_padded_row_size;
     height -= num_rows;
   }
@@ -3157,9 +3164,21 @@ void GLES2Implementation::TexSubImage3DImpl(GLenum target,
           source, my_height, unpadded_row_size, pixels_padded_row_size,
           buffer->address(), buffer_padded_row_size);
     }
+    base::CheckedNumeric<GLint> updated_yoffset = yoffset;
+    updated_yoffset += row_index;
+    if (!updated_yoffset.IsValid()) {
+      SetGLError(GL_INVALID_VALUE, "TexSubImage3DImpl",
+          "yoffset + row_index overflows");

[Zhenyao Mo, 2016/09/07 17:39:23]

row_index and depth_index below are internal implementation details.  You should
use height and depth instead.

+    }
+    base::CheckedNumeric<GLint> updated_zoffset = zoffset;
+    updated_zoffset += depth_index;
+    if (!updated_zoffset.IsValid()) {
+      SetGLError(GL_INVALID_VALUE, "TexSubImage3DImpl",
+          "zoffset + depth_index overflows");
+    }
     helper_->TexSubImage3D(
-        target, level, xoffset, yoffset + row_index, zoffset + depth_index,
-        width, my_height, my_depth,
+        target, level, xoffset, updated_yoffset.ValueOrDefault(0),
+        updated_zoffset.ValueOrDefault(0), width, my_height, my_depth,
         format, type, buffer->shm_id(), buffer->offset(), internal);
     buffer->Release();