From e7189e33f533f9b974b22c2110b522a13bc4c7f6 Mon Sep 17 00:00:00 2001 From: Andrew Osmond Date: Tue, 10 Apr 2018 09:40:02 -0400 Subject: Bug 1388020. r=nical, a=RyanVM --- gfx/gl/GLTextureImage.cpp | 3 +++ gfx/gl/GLUploadHelpers.cpp | 31 ++++++++++++++++++++++++++++++- gfx/gl/GLUploadHelpers.h | 2 ++ gfx/gl/TextureImageEGL.cpp | 4 ++++ 4 files changed, 39 insertions(+), 1 deletion(-) (limited to 'gfx/gl') diff --git a/gfx/gl/GLTextureImage.cpp b/gfx/gl/GLTextureImage.cpp index c91d558af4..65678432da 100644 --- a/gfx/gl/GLTextureImage.cpp +++ b/gfx/gl/GLTextureImage.cpp @@ -149,6 +149,9 @@ BasicTextureImage::DirectUpdate(gfx::DataSourceSurface* aSurf, const nsIntRegion &uploadSize, needInit, aFrom); + if (mTextureFormat == SurfaceFormat::UNKNOWN) { + return false; + } if (uploadSize > 0) { UpdateUploadSize(uploadSize); diff --git a/gfx/gl/GLUploadHelpers.cpp b/gfx/gl/GLUploadHelpers.cpp index 75165eedf7..ca1c890a48 100644 --- a/gfx/gl/GLUploadHelpers.cpp +++ b/gfx/gl/GLUploadHelpers.cpp @@ -27,6 +27,23 @@ DataOffset(const IntPoint& aPoint, int32_t aStride, SurfaceFormat aFormat) return data; } +static bool +CheckUploadBounds(const IntSize& aDst, const IntSize& aSrc, const IntPoint& aOffset) +{ + if (aOffset.x < 0 || aOffset.y < 0 || + aOffset.x >= aSrc.width || + aOffset.y >= aSrc.height) { + MOZ_ASSERT_UNREACHABLE("Offset outside source bounds"); + return false; + } + if (aDst.width > (aSrc.width - aOffset.x) || + aDst.height > (aSrc.height - aOffset.y)) { + MOZ_ASSERT_UNREACHABLE("Source has insufficient data"); + return false; + } + return true; +} + static GLint GetAddressAlignment(ptrdiff_t aAddress) { if (!(aAddress & 0x7)) { @@ -375,6 +392,7 @@ TexImage2DHelper(GLContext* gl, SurfaceFormat UploadImageDataToTexture(GLContext* gl, unsigned char* aData, + const gfx::IntSize& aDataSize, int32_t aStride, SurfaceFormat aFormat, const nsIntRegion& aDstRegion, @@ -498,6 +516,10 @@ UploadImageDataToTexture(GLContext* gl, // Upload each rect in the region to the texture for (auto iter = aDstRegion.RectIter(); !iter.Done(); iter.Next()) { const IntRect& rect = iter.Get(); + if (!CheckUploadBounds(rect.Size(), aDataSize, rect.TopLeft())) { + return SurfaceFormat::UNKNOWN; + } + const unsigned char* rectData = aData + DataOffset(rect.TopLeft(), aStride, aFormat); @@ -534,10 +556,17 @@ UploadSurfaceToTexture(GLContext* gl, int32_t stride = aSurface->Stride(); SurfaceFormat format = aSurface->GetFormat(); + gfx::IntSize size = aSurface->GetSize(); + if (!CheckUploadBounds(aSize, size, aSrcPoint)) { + return SurfaceFormat::UNKNOWN; + } + unsigned char* data = aSurface->GetData() + DataOffset(aSrcPoint, stride, format); + size.width -= aSrcPoint.x; + size.height -= aSrcPoint.y; - return UploadImageDataToTexture(gl, data, stride, format, + return UploadImageDataToTexture(gl, data, size, stride, format, aDstRegion, aTexture, aSize, aOutUploadSize, aNeedInit, aTextureUnit, aTextureTarget); diff --git a/gfx/gl/GLUploadHelpers.h b/gfx/gl/GLUploadHelpers.h index 866d44adbe..f732d2b383 100644 --- a/gfx/gl/GLUploadHelpers.h +++ b/gfx/gl/GLUploadHelpers.h @@ -28,6 +28,7 @@ class GLContext; * \param gl The GL Context to use. * \param aData Start of image data of surface to upload. * Corresponds to the first pixel of the texture. + * \param aDataSize The image data's size. * \param aStride The image data's stride. * \param aFormat The image data's format. * \param aDstRegion Region of the texture to upload. @@ -46,6 +47,7 @@ class GLContext; gfx::SurfaceFormat UploadImageDataToTexture(GLContext* gl, unsigned char* aData, + const gfx::IntSize& aDataSize, int32_t aStride, gfx::SurfaceFormat aFormat, const nsIntRegion& aDstRegion, diff --git a/gfx/gl/TextureImageEGL.cpp b/gfx/gl/TextureImageEGL.cpp index 87a547c269..3bb2987d1d 100644 --- a/gfx/gl/TextureImageEGL.cpp +++ b/gfx/gl/TextureImageEGL.cpp @@ -119,6 +119,10 @@ TextureImageEGL::DirectUpdate(gfx::DataSourceSurface* aSurf, const nsIntRegion& &uploadSize, needInit, aFrom); + if (mTextureFormat == SurfaceFormat::UNKNOWN) { + return false; + } + if (uploadSize > 0) { UpdateUploadSize(uploadSize); } -- cgit v1.2.3