[Backport] CVE-2021-21233: Heap buffer overflow in ANGLE

Manual cherry-pick of patch orignally reviewed on https://chromium-review.googlesource.com/c/angle/angle/+/2836786: D3D11: Skip blits if there is no intersection of dest areas Blit11 would clip the destination rectangle with the destination size but ignore the result. gl::ClipRectangle returns false when the rectangles do not intersect at all, indicating the blit can be skipped. This could lead to an out-of-bounds write to the GPU memory for the destination texture. Mark ClipRectangle as nodiscard to prevent future issues. Bug: chromium:1199402 Change-Id: I260e82d0917b8aa7e7887f2c9f7ed4b1a03ba785 Reviewed-by: Jamie Madill <jmadill@chromium.org> Commit-Queue: Geoff Lang <geofflang@chromium.org> Also fixes Chromium bug 1182937. Change-Id: I6cb64f2e888c605b0c205bb296f1d5143612796e Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Geoff Lang <geofflang@chromium.org> 2021-04-19 12:47:05 -0400
committer: Michael Brüning <michael.bruning@qt.io> 2021-04-27 16:00:12 +0000
commit: 7d388ce566899d22617cb116c67161f150f93139 (patch)
tree: edd7b3f4c5679787cd74a7a2014578bc9c8302e0
parent: 364aa54de0b7d7c9c2453696e77b36a08d015b42 (diff)
5 files changed, 18 insertions, 6 deletions
diff --git a/chromium/third_party/angle/src/libANGLE/angletypes.h b/chromium/third_party/angle/src/libANGLE/angletypes.h
index b92e5b439f0..2ef2aa19dd5 100644
--- a/chromium/third_party/angle/src/libANGLE/angletypes.h
+++ b/chromium/third_party/angle/src/libANGLE/angletypes.h
@@ -74,7 +74,7 @@ struct Rectangle
 bool operator==(const Rectangle &a, const Rectangle &b);
 bool operator!=(const Rectangle &a, const Rectangle &b);
 
-bool ClipRectangle(const Rectangle &source, const Rectangle &clip, Rectangle *intersection);
+ANGLE_NO_DISCARD bool ClipRectangle(const Rectangle &source, const Rectangle &clip, Rectangle *intersection);
 
 struct Offset
 {
diff --git a/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp b/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp
index 55f8f8f4d38..6d9365af8db 100644
--- a/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp
+++ b/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp
@@ -141,7 +141,10 @@ void StretchedBlitNearest(const gl::Box &sourceArea,
                           uint8_t *destData)
 {
     gl::Rectangle clippedDestArea(destArea.x, destArea.y, destArea.width, destArea.height);
-    gl::ClipRectangle(clippedDestArea, clipRect, &clippedDestArea);
+    if (!gl::ClipRectangle(clippedDestArea, clipRect, &clippedDestArea))
+    {
+        return;
+    }
 
     // Determine if entire rows can be copied at once instead of each individual pixel. There
     // must be no out of bounds lookups, whole rows copies, and no scale.
diff --git a/chromium/third_party/angle/src/libANGLE/renderer/gl/FramebufferGL.cpp b/chromium/third_party/angle/src/libANGLE/renderer/gl/FramebufferGL.cpp
index 833d4fe9bb1..bb56048779b 100644
--- a/chromium/third_party/angle/src/libANGLE/renderer/gl/FramebufferGL.cpp
+++ b/chromium/third_party/angle/src/libANGLE/renderer/gl/FramebufferGL.cpp
@@ -1117,7 +1117,10 @@ angle::Result FramebufferGL::clipSrcRegion(const gl::Context *context,
         // If pixels lying outside the read framebuffer, adjust src region
         // and dst region to appropriate in-bounds regions respectively.
         gl::Rectangle realSourceRegion;
-        ClipRectangle(bounds.sourceRegion, bounds.sourceBounds, &realSourceRegion);
+        if (!ClipRectangle(bounds.sourceRegion, bounds.sourceBounds, &realSourceRegion))
+        {
+            return angle::Result::Stop;
+        }
         GLuint xOffset = realSourceRegion.x - bounds.sourceRegion.x;
         GLuint yOffset = realSourceRegion.y - bounds.sourceRegion.y;
 
diff --git a/chromium/third_party/angle/src/libANGLE/renderer/metal/ContextMtl.mm b/chromium/third_party/angle/src/libANGLE/renderer/metal/ContextMtl.mm
index 88c4987433e..b069da6e504 100644
--- a/chromium/third_party/angle/src/libANGLE/renderer/metal/ContextMtl.mm
+++ b/chromium/third_party/angle/src/libANGLE/renderer/metal/ContextMtl.mm
@@ -1362,7 +1362,10 @@ void ContextMtl::updateScissor(const gl::State &glState)
 
     // Clip the render area to the viewport.
     gl::Rectangle viewportClippedRenderArea;
-    gl::ClipRectangle(renderArea, glState.getViewport(), &viewportClippedRenderArea);
+    if (!gl::ClipRectangle(renderArea, glState.getViewport(), &viewportClippedRenderArea))
+    {
+        viewportClippedRenderArea = gl::Rectangle();
+    }
 
     gl::Rectangle scissoredArea = ClipRectToScissor(getState(), viewportClippedRenderArea, false);
     if (framebufferMtl->flipY())
diff --git a/chromium/third_party/angle/src/libANGLE/renderer/vulkan/ContextVk.cpp b/chromium/third_party/angle/src/libANGLE/renderer/vulkan/ContextVk.cpp
index 8cdf049cd30..433a034b82e 100644
--- a/chromium/third_party/angle/src/libANGLE/renderer/vulkan/ContextVk.cpp
+++ b/chromium/third_party/angle/src/libANGLE/renderer/vulkan/ContextVk.cpp
@@ -2824,8 +2824,11 @@ angle::Result ContextVk::updateScissorImpl(const gl::State &glState, bool should
 
     // Clip the render area to the viewport.
     gl::Rectangle viewportClippedRenderArea;
-    gl::ClipRectangle(renderArea, getCorrectedViewport(glState.getViewport()),
-                      &viewportClippedRenderArea);
+    if (!gl::ClipRectangle(renderArea, getCorrectedViewport(glState.getViewport()),
+                           &viewportClippedRenderArea))
+    {
+        viewportClippedRenderArea = gl::Rectangle();
+    }
 
     gl::Rectangle scissoredArea = ClipRectToScissor(getState(), viewportClippedRenderArea, false);
     gl::Rectangle rotatedScissoredArea;
author	Geoff Lang <geofflang@chromium.org>	2021-04-19 12:47:05 -0400
committer	Michael Brüning <michael.bruning@qt.io>	2021-04-27 16:00:12 +0000
commit	7d388ce566899d22617cb116c67161f150f93139 (patch)
tree	edd7b3f4c5679787cd74a7a2014578bc9c8302e0
parent	364aa54de0b7d7c9c2453696e77b36a08d015b42 (diff)