Supress integer-overflow in TexSubImage2D(3D)Impl

gpu/command_buffer/client/gles2_implementation.cc

Index: gpu/command_buffer/client/gles2_implementation.cc
diff --git a/gpu/command_buffer/client/gles2_implementation.cc b/gpu/command_buffer/client/gles2_implementation.cc
index aa3b18d4e783c28b8bb69de4ca9198c64856346c..4a879f41ee9d76a524ef60fd18129083d55922da 100644
--- a/gpu/command_buffer/client/gles2_implementation.cc
+++ b/gpu/command_buffer/client/gles2_implementation.cc
@@ -19,6 +19,7 @@
 #include <string>
 #include "base/atomic_sequence_num.h"
 #include "base/compiler_specific.h"
+#include "base/numerics/safe_math.h"
 #include "base/strings/string_split.h"
 #include "base/strings/stringprintf.h"
 #include "base/sys_info.h"
@@ -3066,7 +3067,9 @@ void GLES2Implementation::TexSubImage2DImpl(GLenum target,
         target, level, xoffset, yoffset, width, num_rows, format, type,
         buffer->shm_id(), buffer->offset(), internal);
     buffer->Release();
-    yoffset += num_rows;
+    base::CheckedNumeric<GLint> updated_yoffset = yoffset;
+    updated_yoffset += num_rows;
+    yoffset = updated_yoffset.ValueOrDefault(std::numeric_limits<int>::max());

[Zhenyao Mo, 2016/09/07 02:15:16]

Can we generate an INVALID_VALUE instead?

[xidachen, 2016/09/07 12:23:00]

I used GL_INVALID_VALUE. So do we have checks somewhere to make sure that we
abort or doing something when we see that yoffset becomes GL_INVALID_VALUE?

     source += num_rows * pixels_padded_row_size;
     height -= num_rows;
   }