From 7cfd4ae3d3a142752cb88d3c7456e4a92881f13c Mon Sep 17 00:00:00 2001 From: w00607952 Date: Wed, 12 Feb 2025 22:58:19 +0800 Subject: [PATCH] fix CVE-2023-4073 Signed-off-by: w00607952 --- .../src/libANGLE/renderer/gl/BufferGL.cpp | 5 +++++ .../src/libANGLE/renderer/gl/BufferGL.h | 1 + .../libANGLE/renderer/gl/VertexArrayGL.cpp | 11 +++++++++- .../libANGLE/renderer/gl/renderergl_utils.cpp | 3 +++ .../angle_end2end_tests_expectations.txt | 1 + .../tests/gl_tests/WebGLCompatibilityTest.cpp | 20 +++++++++++++++++++ 6 files changed, 40 insertions(+), 1 deletion(-) diff --git a/third_party/externals/angle2/src/libANGLE/renderer/gl/BufferGL.cpp b/third_party/externals/angle2/src/libANGLE/renderer/gl/BufferGL.cpp index adfed7ae78..9189cc095b 100644 --- a/third_party/externals/angle2/src/libANGLE/renderer/gl/BufferGL.cpp +++ b/third_party/externals/angle2/src/libANGLE/renderer/gl/BufferGL.cpp @@ -284,6 +284,11 @@ angle::Result BufferGL::getIndexRange(const gl::Context *context, return angle::Result::Continue; } +size_t BufferGL::getBufferSize() const +{ + return mBufferSize; +} + GLuint BufferGL::getBufferID() const { return mBufferID; diff --git a/third_party/externals/angle2/src/libANGLE/renderer/gl/BufferGL.h b/third_party/externals/angle2/src/libANGLE/renderer/gl/BufferGL.h index 7b57594580..fe9138e816 100644 --- a/third_party/externals/angle2/src/libANGLE/renderer/gl/BufferGL.h +++ b/third_party/externals/angle2/src/libANGLE/renderer/gl/BufferGL.h @@ -56,6 +56,7 @@ class BufferGL : public BufferImpl bool primitiveRestartEnabled, gl::IndexRange *outRange) override; + size_t getBufferSize() const; GLuint getBufferID() const; private: diff --git a/third_party/externals/angle2/src/libANGLE/renderer/gl/VertexArrayGL.cpp b/third_party/externals/angle2/src/libANGLE/renderer/gl/VertexArrayGL.cpp index 309027c0f3..5ee74c364c 100644 --- a/third_party/externals/angle2/src/libANGLE/renderer/gl/VertexArrayGL.cpp +++ b/third_party/externals/angle2/src/libANGLE/renderer/gl/VertexArrayGL.cpp @@ -646,6 +646,7 @@ angle::Result VertexArrayGL::updateAttribEnabled(const gl::Context *context, siz angle::Result VertexArrayGL::updateAttribPointer(const gl::Context *context, size_t attribIndex) { + const angle::FeaturesGL &features = GetFeaturesGL(context); const VertexAttribute &attrib = mState.getVertexAttribute(attribIndex); @@ -687,8 +688,16 @@ angle::Result VertexArrayGL::updateAttribPointer(const gl::Context *context, siz // is not NULL. StateManagerGL *stateManager = GetStateManagerGL(context); - GLuint bufferId = GetNativeBufferID(arrayBuffer); + BufferGL *bufferGL = GetImplAs(arrayBuffer); + GLuint bufferId = bufferGL->getBufferID(); stateManager->bindBuffer(gl::BufferBinding::Array, bufferId); + if (features.ensureNonEmptyBufferIsBoundForDraw.enabled && bufferGL->getBufferSize() == 0) + { + constexpr uint32_t data = 0; + ANGLE_TRY(bufferGL->setData(context, gl::BufferBinding::Array, &data, sizeof(data), + gl::BufferUsage::StaticDraw)); + ASSERT(bufferGL->getBufferSize() > 0); + } ANGLE_TRY(callVertexAttribPointer(context, static_cast(attribIndex), attrib, binding.getStride(), binding.getOffset())); diff --git a/third_party/externals/angle2/src/libANGLE/renderer/gl/renderergl_utils.cpp b/third_party/externals/angle2/src/libANGLE/renderer/gl/renderergl_utils.cpp index 2cbb5067f1..c935934462 100644 --- a/third_party/externals/angle2/src/libANGLE/renderer/gl/renderergl_utils.cpp +++ b/third_party/externals/angle2/src/libANGLE/renderer/gl/renderergl_utils.cpp @@ -2198,6 +2198,9 @@ void InitializeFeatures(const FunctionsGL *functions, angle::FeaturesGL *feature // https://crbug.com/1060012 ANGLE_FEATURE_CONDITION(features, emulateImmutableCompressedTexture3D, isQualcomm); + + // http://crbug.com/1456243 + ANGLE_FEATURE_CONDITION(features, ensureNonEmptyBufferIsBoundForDraw, IsApple() || IsAndroid()); } void InitializeFrontendFeatures(const FunctionsGL *functions, angle::FrontendFeatures *features) diff --git a/third_party/externals/angle2/src/tests/angle_end2end_tests_expectations.txt b/third_party/externals/angle2/src/tests/angle_end2end_tests_expectations.txt index 480db0f2de..e2e6b4e0ab 100644 --- a/third_party/externals/angle2/src/tests/angle_end2end_tests_expectations.txt +++ b/third_party/externals/angle2/src/tests/angle_end2end_tests_expectations.txt @@ -226,6 +226,7 @@ 3841 WIN D3D11 : GLSLTest_ES31.BoolInInterfaceBlocks/* = SKIP // Mistranslation 6216 WIN D3D11 : GLSLTest_ES31.StorageBufferBoolVectorPassedToFunctions/* = SKIP +1456243 WIN D3D11 : WebGL2CompatibilityTest.DrawWithZeroSizedBuffer/* = SKIP // Android 6095 ANDROID GLES : GLSLTest_ES3.InitGlobalComplexConstant/* = SKIP diff --git a/third_party/externals/angle2/src/tests/gl_tests/WebGLCompatibilityTest.cpp b/third_party/externals/angle2/src/tests/gl_tests/WebGLCompatibilityTest.cpp index 8c9dfbb6db..5b0054dfbb 100644 --- a/third_party/externals/angle2/src/tests/gl_tests/WebGLCompatibilityTest.cpp +++ b/third_party/externals/angle2/src/tests/gl_tests/WebGLCompatibilityTest.cpp @@ -5682,6 +5682,26 @@ TEST_P(WebGL2CompatibilityTest, ReadPixelsRgbx8AngleUnsignedByte) EXPECT_EQ(GLColor::red, pixel); } +// Test for a mishandling of instanced vertex attributes with zero-sized buffers bound on Apple +// OpenGL drivers. +TEST_P(WebGL2CompatibilityTest, DrawWithZeroSizedBuffer) +{ + ANGLE_GL_PROGRAM(program, essl3_shaders::vs::Simple(), essl3_shaders::fs::Red()); + glUseProgram(program); + + GLBuffer buffer; + glBindBuffer(GL_ARRAY_BUFFER, buffer); + + GLint posLocation = glGetAttribLocation(program, essl3_shaders::PositionAttrib()); + glEnableVertexAttribArray(posLocation); + + glVertexAttribDivisor(posLocation, 1); + glVertexAttribPointer(posLocation, 1, GL_UNSIGNED_BYTE, GL_FALSE, 9, + reinterpret_cast(0x41424344)); + + glDrawArrays(GL_TRIANGLES, 0, 6); +} + ANGLE_INSTANTIATE_TEST_ES2_AND_ES3(WebGLCompatibilityTest); GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(WebGL2CompatibilityTest); -- Gitee