Protect against integer overflows in the IndexBuffer class by validating that the new write position will not overflow.

Issue 444 Signed-off-by: Jamie Madil Signed-off-by: Shannon Woods Author: Geoff Lang
author: Geoff Lang <geofflang@google.com> 2013-07-09 16:02:30 -0400
committer: Shannon Woods <shannonwoods@chromium.org> 2013-07-11 13:10:11 -0400
commit: 6322ef4790e5c546c1d9bfaf5877ffc6048bc541 (patch)
tree: 1febffc4b3c7eaa031c21dc845a712eff0cfd434
parent: 0c8b4e563e2926f37b5b357c1fafb7115d272e03 (diff)
download: angle_dx11-6322ef4790e5c546c1d9bfaf5877ffc6048bc541.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/src/libGLESv2/renderer/IndexBuffer.cpp b/src/libGLESv2/renderer/IndexBuffer.cpp
index 16fd7823..3d5d7a7c 100644
--- a/src/libGLESv2/renderer/IndexBuffer.cpp
+++ b/src/libGLESv2/renderer/IndexBuffer.cpp
@@ -130,12 +130,13 @@ bool StreamingIndexBufferInterface::reserveBufferSpace(unsigned int size, GLenum
 {
     bool result = true;
     unsigned int curBufferSize = getBufferSize();
+    unsigned int writePos = getWritePosition();
     if (size > curBufferSize)
     {
         result = setBufferSize(std::max(size, 2 * curBufferSize), indexType);
         setWritePosition(0);
     }
-    else if (getWritePosition() + size > curBufferSize)
+    else if (writePos + size > curBufferSize || writePos + size < writePos)
     {
         if (!discard())
         {
author	Geoff Lang <geofflang@google.com>	2013-07-09 16:02:30 -0400
committer	Shannon Woods <shannonwoods@chromium.org>	2013-07-11 13:10:11 -0400
commit	6322ef4790e5c546c1d9bfaf5877ffc6048bc541 (patch)
tree	1febffc4b3c7eaa031c21dc845a712eff0cfd434
parent	0c8b4e563e2926f37b5b357c1fafb7115d272e03 (diff)
download	angle_dx11-6322ef4790e5c546c1d9bfaf5877ffc6048bc541.tar.gz