From 6f5872e7798d756db77bf998581cf275b50eaeee Mon Sep 17 00:00:00 2001 From: w00607952 Date: Wed, 12 Feb 2025 23:15:14 +0800 Subject: [PATCH] fix CVE-2022-1639 Signed-off-by: w00607952 --- .../externals/angle2/src/libANGLE/State.cpp | 6 +--- .../angle_end2end_tests_expectations.txt | 4 +++ .../tests/gl_tests/TransformFeedbackTest.cpp | 35 +++++++++++++++++++ 3 files changed, 40 insertions(+), 5 deletions(-) diff --git a/third_party/externals/angle2/src/libANGLE/State.cpp b/third_party/externals/angle2/src/libANGLE/State.cpp index 2fb00e95a4..e9635038a1 100644 --- a/third_party/externals/angle2/src/libANGLE/State.cpp +++ b/third_party/externals/angle2/src/libANGLE/State.cpp @@ -2174,11 +2174,7 @@ angle::Result State::detachBuffer(Context *context, const Buffer *buffer) if (curTransformFeedback) { ANGLE_TRY(curTransformFeedback->detachBuffer(context, bufferID)); - //angle CVE-2022-0975 - if (isTransformFeedbackActiveUnpaused()) - { - context->getStateCache().onActiveTransformFeedbackChange(context); - } + context->getStateCache().onActiveTransformFeedbackChange(context); } if (getVertexArray()->detachBuffer(context, bufferID)) diff --git a/third_party/externals/angle2/src/tests/angle_end2end_tests_expectations.txt b/third_party/externals/angle2/src/tests/angle_end2end_tests_expectations.txt index 480db0f2de..da079ac859 100644 --- a/third_party/externals/angle2/src/tests/angle_end2end_tests_expectations.txt +++ b/third_party/externals/angle2/src/tests/angle_end2end_tests_expectations.txt @@ -412,3 +412,7 @@ 6718 TSAN : MultithreadingTestES3.MultithreadFenceDraw/* = SKIP 6718 TSAN : MultithreadingTestES3.MultithreadFenceTexImage/* = SKIP 6746 TSAN : *Vulkan_AsyncQueue = SKIP + +// Causes incompatible error in GL back-end. +7218 OPENGL : TransformFeedbackTest.DrawAfterDeletingPausedBuffer/* = SKIP +7218 GLES : TransformFeedbackTest.DrawAfterDeletingPausedBuffer/* = SKIP \ No newline at end of file diff --git a/third_party/externals/angle2/src/tests/gl_tests/TransformFeedbackTest.cpp b/third_party/externals/angle2/src/tests/gl_tests/TransformFeedbackTest.cpp index 95a3797b11..f6550fc542 100644 --- a/third_party/externals/angle2/src/tests/gl_tests/TransformFeedbackTest.cpp +++ b/third_party/externals/angle2/src/tests/gl_tests/TransformFeedbackTest.cpp @@ -4033,6 +4033,41 @@ TEST_P(TransformFeedbackTest, DeletingTransformFeedback) EXPECT_GL_ERROR(GL_INVALID_OPERATION); } +// Validates that drawing after deleting a buffer in a paused XFB. +TEST_P(TransformFeedbackTest, DrawAfterDeletingPausedBuffer) +{ + ANGLE_GL_PROGRAM_TRANSFORM_FEEDBACK(testProgram, essl1_shaders::vs::Simple(), + essl1_shaders::fs::Green(), {"gl_Position"}, + GL_INTERLEAVED_ATTRIBS); + glUseProgram(testProgram); + + std::vector data(100, 0); + + std::array quadVerts = GetQuadVertices(); + + GLint loc = glGetAttribLocation(testProgram, essl1_shaders::PositionAttrib()); + ASSERT_NE(-1, loc); + + GLBuffer posBuf; + glBindBuffer(GL_ARRAY_BUFFER, posBuf); + glBufferData(GL_ARRAY_BUFFER, quadVerts.size() * sizeof(quadVerts[0]), quadVerts.data(), + GL_STATIC_DRAW); + glVertexAttribPointer(loc, 3, GL_FLOAT, GL_FALSE, 0, nullptr); + glEnableVertexAttribArray(loc); + glBindBuffer(GL_ARRAY_BUFFER, 0); + + GLBuffer buf; + glBindBufferBase(GL_TRANSFORM_FEEDBACK_BUFFER, 0, buf); + glBufferData(GL_TRANSFORM_FEEDBACK_BUFFER, data.size() * sizeof(data[0]), data.data(), + GL_STATIC_DRAW); + glBeginTransformFeedback(GL_POINTS); + glPauseTransformFeedback(); + glDrawArrays(GL_POINTS, 0, 1); + buf.reset(); + glDrawArrays(GL_POINTS, 0, 1); + EXPECT_GL_ERROR(GL_INVALID_OPERATION); +} + GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(TransformFeedbackTest); ANGLE_INSTANTIATE_TEST_ES3(TransformFeedbackTest); -- Gitee