Passthrough CmdDecoder: Use robust CompressedTex(Sub)Image

Desktop / Chromium - cwallez [chromium.org] - 20 April 2017 13:19 EDT

A compromised renderer would have been able to crash ANGLE by sending a 0 shmem ID and non 0 shmem offset for CompressedTex(Sub)Image commands, with no unpack buffer bound. Use the newly added RobustANGLE entry points that check enough data is passed.

BUG=chromium:602688 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2826143003 Cr-Commit-Position: refs/heads/master@{#466042}

7cc769d2 Passthrough CmdDecoder: Use robust CompressedTex(Sub)Image
.../service/gles2_cmd_decoder_passthrough_doers.cc | 28 +-
ui/gl/generate_bindings.py | 29 ++
ui/gl/gl_bindings_api_autogen_gl.h | 41 +++
ui/gl/gl_bindings_autogen_gl.cc | 308 +++++++++++++++++++++
ui/gl/gl_bindings_autogen_gl.h | 100 +++++++
ui/gl/gl_bindings_autogen_mock.cc | 81 ++++++
ui/gl/gl_bindings_autogen_mock.h | 45 +++
ui/gl/gl_enums_implementation_autogen.h | 6 +-
ui/gl/gl_mock.h | 15 +
ui/gl/gl_mock_autogen_gl.h | 34 +++
ui/gl/gl_stub_autogen_gl.h | 41 +++
11 files changed, 709 insertions(+), 19 deletions(-)

Upstream: git.chromium.org


  • Share