[Backport] Fix for CVE-2018-17466

Pass unpack buffer as explicit parameter to texSubImage.

This allows us to override it in the incomplete texture init. Any
back-end that used incomplete textures was vulnerable to a bug where
the unpack buffer would be used to initialize the incomplete texture.

Cherry-picked to the chromium/3538 branch cleanly.

Bug:  chromium:880906
Change-Id: Ifca9891ecc207a74673fe1e6ef3e0a2118837fb2
Reviewed-on: https://chromium-review.googlesource.com/1227033
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 2 insertions, 2 deletions

diff --git a/chromium/third_party/angle/src/libANGLE/renderer/renderer_utils.cpp b/chromium/third_party/angle/src/libANGLE/renderer/renderer_utils.cpp
index 4737af9768f..ea2647f4c5c 100644
--- a/chromium/third_party/angle/src/libANGLE/renderer/renderer_utils.cpp
+++ b/chromium/third_party/angle/src/libANGLE/renderer/renderer_utils.cpp
@@ -525,7 +525,7 @@ gl::Error IncompleteTextureSet::getIncompleteTexture(
              face++)
         {
             ANGLE_TRY(
-                t->setSubImage(context, unpack, face, 0, area, GL_RGBA, GL_UNSIGNED_BYTE, color));
+                t->setSubImage(context, unpack, nullptr, face, 0, area, GL_RGBA, GL_UNSIGNED_BYTE, color));
         }
     }
     else if (type == GL_TEXTURE_2D_MULTISAMPLE)
@@ -536,7 +536,7 @@ gl::Error IncompleteTextureSet::getIncompleteTexture(
     else
     {
         ANGLE_TRY(
-            t->setSubImage(context, unpack, createType, 0, area, GL_RGBA, GL_UNSIGNED_BYTE, color));
+            t->setSubImage(context, unpack, nullptr, createType, 0, area, GL_RGBA, GL_UNSIGNED_BYTE, color));
     }
 
     t->syncState();