From e7189e33f533f9b974b22c2110b522a13bc4c7f6 Mon Sep 17 00:00:00 2001
From: Andrew Osmond <aosmond@mozilla.com>
Date: Tue, 10 Apr 2018 09:40:02 -0400
Subject: Bug 1388020. r=nical, a=RyanVM

---
 gfx/gl/GLUploadHelpers.cpp | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

(limited to 'gfx/gl/GLUploadHelpers.cpp')

diff --git a/gfx/gl/GLUploadHelpers.cpp b/gfx/gl/GLUploadHelpers.cpp
index 75165eedf..ca1c890a4 100644
--- a/gfx/gl/GLUploadHelpers.cpp
+++ b/gfx/gl/GLUploadHelpers.cpp
@@ -27,6 +27,23 @@ DataOffset(const IntPoint& aPoint, int32_t aStride, SurfaceFormat aFormat)
   return data;
 }
 
+static bool
+CheckUploadBounds(const IntSize& aDst, const IntSize& aSrc, const IntPoint& aOffset)
+{
+  if (aOffset.x < 0 || aOffset.y < 0 ||
+      aOffset.x >= aSrc.width ||
+      aOffset.y >= aSrc.height) {
+    MOZ_ASSERT_UNREACHABLE("Offset outside source bounds");
+    return false;
+  }
+  if (aDst.width > (aSrc.width - aOffset.x) ||
+      aDst.height > (aSrc.height - aOffset.y)) {
+    MOZ_ASSERT_UNREACHABLE("Source has insufficient data");
+    return false;
+  }
+  return true;
+}
+
 static GLint GetAddressAlignment(ptrdiff_t aAddress)
 {
     if (!(aAddress & 0x7)) {
@@ -375,6 +392,7 @@ TexImage2DHelper(GLContext* gl,
 SurfaceFormat
 UploadImageDataToTexture(GLContext* gl,
                          unsigned char* aData,
+                         const gfx::IntSize& aDataSize,
                          int32_t aStride,
                          SurfaceFormat aFormat,
                          const nsIntRegion& aDstRegion,
@@ -498,6 +516,10 @@ UploadImageDataToTexture(GLContext* gl,
         // Upload each rect in the region to the texture
         for (auto iter = aDstRegion.RectIter(); !iter.Done(); iter.Next()) {
             const IntRect& rect = iter.Get();
+            if (!CheckUploadBounds(rect.Size(), aDataSize, rect.TopLeft())) {
+                return SurfaceFormat::UNKNOWN;
+            }
+
             const unsigned char* rectData =
                 aData + DataOffset(rect.TopLeft(), aStride, aFormat);
 
@@ -534,10 +556,17 @@ UploadSurfaceToTexture(GLContext* gl,
 
     int32_t stride = aSurface->Stride();
     SurfaceFormat format = aSurface->GetFormat();
+    gfx::IntSize size = aSurface->GetSize();
+    if (!CheckUploadBounds(aSize, size, aSrcPoint)) {
+        return SurfaceFormat::UNKNOWN;
+    }
+
     unsigned char* data = aSurface->GetData() +
         DataOffset(aSrcPoint, stride, format);
+    size.width -= aSrcPoint.x;
+    size.height -= aSrcPoint.y;
 
-    return UploadImageDataToTexture(gl, data, stride, format,
+    return UploadImageDataToTexture(gl, data, size, stride, format,
                                     aDstRegion, aTexture, aSize,
                                     aOutUploadSize, aNeedInit,
                                     aTextureUnit, aTextureTarget);
-- 
cgit v1.2.3