From 6db7677c7a91719ce7d518da5112ca2d6036ffee Mon Sep 17 00:00:00 2001 From: w00607952 Date: Wed, 12 Feb 2025 22:46:35 +0800 Subject: [PATCH] fix CVE-2022-3653 Signed-off-by: w00607952 --- .../externals/angle2/src/libANGLE/State.h | 5 ++ .../src/libANGLE/renderer/vulkan/QueryVk.cpp | 7 +++ .../src/tests/gl_tests/StateChangeTest.cpp | 46 +++++++++++++++++++ 3 files changed, 58 insertions(+) diff --git a/third_party/externals/angle2/src/libANGLE/State.h b/third_party/externals/angle2/src/libANGLE/State.h index 41927cd1d2..b84d85429f 100644 --- a/third_party/externals/angle2/src/libANGLE/State.h +++ b/third_party/externals/angle2/src/libANGLE/State.h @@ -598,6 +598,11 @@ class State : angle::NonCopyable bool isRobustResourceInitEnabled() const { return mRobustResourceInit; } + bool isDrawFramebufferBindingDirty() const + { + return mDirtyBits.test(DIRTY_BIT_DRAW_FRAMEBUFFER_BINDING); + } + // Sets the dirty bit for the program executable. angle::Result onProgramExecutableChange(const Context *context, Program *program); // Sets the dirty bit for the program pipeline executable. diff --git a/third_party/externals/angle2/src/libANGLE/renderer/vulkan/QueryVk.cpp b/third_party/externals/angle2/src/libANGLE/renderer/vulkan/QueryVk.cpp index 921adfc6e0..f806326113 100644 --- a/third_party/externals/angle2/src/libANGLE/renderer/vulkan/QueryVk.cpp +++ b/third_party/externals/angle2/src/libANGLE/renderer/vulkan/QueryVk.cpp @@ -302,6 +302,13 @@ angle::Result QueryVk::begin(const gl::Context *context) { ContextVk *contextVk = vk::GetImpl(context); + // Ensure that we start with the right RenderPass when we begin a new query. + if (contextVk->getState().isDrawFramebufferBindingDirty()) + { + ANGLE_TRY(contextVk->flushCommandsAndEndRenderPass( + RenderPassClosureReason::FramebufferBindingChange)); + } + mCachedResultValid = false; // Transform feedback query is handled by a CPU-calculated value when emulated. diff --git a/third_party/externals/angle2/src/tests/gl_tests/StateChangeTest.cpp b/third_party/externals/angle2/src/tests/gl_tests/StateChangeTest.cpp index 7641117f12..7b3100878e 100644 --- a/third_party/externals/angle2/src/tests/gl_tests/StateChangeTest.cpp +++ b/third_party/externals/angle2/src/tests/gl_tests/StateChangeTest.cpp @@ -7410,6 +7410,52 @@ TEST_P(SimpleStateChangeTestES3, DrawFlushThenBlit) glFlush(); ASSERT_GL_NO_ERROR(); } + +// Tests a specific case for multiview and queries. +TEST_P(SimpleStateChangeTestES3, MultiviewAndQueries) +{ + ANGLE_SKIP_TEST_IF(!EnsureGLExtensionEnabled("GL_OVR_multiview")); + + ANGLE_GL_PROGRAM(prog, essl1_shaders::vs::Zero(), essl1_shaders::fs::Red()); + glUseProgram(prog); + + const int PRE_QUERY_CNT = 63; + + GLQuery qry; + GLTexture tex; + GLFramebuffer fb; + GLFramebuffer fb2; + glBeginQuery(GL_ANY_SAMPLES_PASSED, qry); + for (int i = 0; i < PRE_QUERY_CNT; i++) + { + glDrawArrays(GL_POINTS, 0, 1); + + GLColor color; + glReadPixels(0, 0, 1, 1, GL_RGBA, GL_UNSIGNED_BYTE, &color); + } + glEndQuery(GL_ANY_SAMPLES_PASSED); + glColorMask(GL_TRUE, GL_FALSE, GL_FALSE, GL_FALSE); + glBindTexture(GL_TEXTURE_2D_ARRAY, tex); + glTexStorage3D(GL_TEXTURE_2D_ARRAY, 1, GL_RGBA8, 2, 2, 2); + glBindFramebuffer(GL_FRAMEBUFFER, fb); + glFramebufferTextureMultiviewOVR(GL_FRAMEBUFFER, GL_COLOR_ATTACHMENT0, tex, 0, 0, 2); + glClear(GL_COLOR_BUFFER_BIT); + glBindFramebuffer(GL_FRAMEBUFFER, fb2); + glBeginQuery(GL_ANY_SAMPLES_PASSED, qry); +} + +// Tests a bug related to an ordering of certain commands. +TEST_P(SimpleStateChangeTestES3, ClearQuerySwapClear) +{ + glClear(GL_COLOR_BUFFER_BIT); + { + GLQuery query; + glBeginQuery(GL_ANY_SAMPLES_PASSED, query); + glEndQuery(GL_ANY_SAMPLES_PASSED); + } + swapBuffers(); + glClear(GL_COLOR_BUFFER_BIT); +} } // anonymous namespace ANGLE_INSTANTIATE_TEST_ES2(StateChangeTest); -- Gitee