diff options
author | Geoff Lang <geofflang@google.com> | 2013-07-09 16:02:30 -0400 |
---|---|---|
committer | Shannon Woods <shannonwoods@chromium.org> | 2013-07-11 13:10:11 -0400 |
commit | 6322ef4790e5c546c1d9bfaf5877ffc6048bc541 (patch) | |
tree | 1febffc4b3c7eaa031c21dc845a712eff0cfd434 | |
parent | 0c8b4e563e2926f37b5b357c1fafb7115d272e03 (diff) | |
download | angle_dx11-6322ef4790e5c546c1d9bfaf5877ffc6048bc541.tar.gz |
Protect against integer overflows in the IndexBuffer class by validating that the new write position will not overflow.
Issue 444
Signed-off-by: Jamie Madil
Signed-off-by: Shannon Woods
Author: Geoff Lang
-rw-r--r-- | src/libGLESv2/renderer/IndexBuffer.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/libGLESv2/renderer/IndexBuffer.cpp b/src/libGLESv2/renderer/IndexBuffer.cpp index 16fd7823..3d5d7a7c 100644 --- a/src/libGLESv2/renderer/IndexBuffer.cpp +++ b/src/libGLESv2/renderer/IndexBuffer.cpp @@ -130,12 +130,13 @@ bool StreamingIndexBufferInterface::reserveBufferSpace(unsigned int size, GLenum { bool result = true; unsigned int curBufferSize = getBufferSize(); + unsigned int writePos = getWritePosition(); if (size > curBufferSize) { result = setBufferSize(std::max(size, 2 * curBufferSize), indexType); setWritePosition(0); } - else if (getWritePosition() + size > curBufferSize) + else if (writePos + size > curBufferSize || writePos + size < writePos) { if (!discard()) { |