Prevent overflow in the variable packer by sanity checking each variable. BUG=346489 Change-Id: I28f5751580729a4d4d77fa6fdee0b4a6628a05de Reviewed-on: https://chromium-review.googlesource.com/188030 Tested-by: Nicolas Capens <nicolascapens@chromium.org> Reviewed-by: Shannon Woods <shannonwoods@chromium.org>

commit: 1d1c1152ac92d50592637bf3f82e3ba0233fb477 [log] [tgz]
author: Nicolas Capens <nicolascapens@chromium.org> Wed Feb 26 11:00:28 2014 -0500
committer: Nicolas Capens <nicolascapens@chromium.org> Wed Feb 26 18:51:35 2014 +0000
tree: d12235c0db884fd7f2dbc6029975f68e64f2291f
parent: b4d192cd8c1573d7df93e64c98bddbe90b598618 [diff] [blame]
diff --git a/src/compiler/translator/VariablePacker.cpp b/src/compiler/translator/VariablePacker.cpp
index ec57bc4..6390e30 100644
--- a/src/compiler/translator/VariablePacker.cpp
+++ b/src/compiler/translator/VariablePacker.cpp

@@ -215,6 +215,14 @@
     bottomNonFullRow_ = maxRows_ - 1;
     TVariableInfoList variables(in_variables);
 
+    // Check whether each variable fits in the available vectors.
+    for (size_t i = 0; i < variables.size(); i++) {
+        const TVariableInfo& variable = variables[i];
+        if (variable.size > maxVectors / GetNumRows(variable.type)) {
+            return false;
+        }
+    }
+
     // As per GLSL 1.017 Appendix A, Section 7 variables are packed in specific
     // order by type, then by size of array, largest first.
     std::sort(variables.begin(), variables.end(), TVariableInfoComparer());
commit	1d1c1152ac92d50592637bf3f82e3ba0233fb477	[log] [tgz]
author	Nicolas Capens <nicolascapens@chromium.org>	Wed Feb 26 11:00:28 2014 -0500
committer	Nicolas Capens <nicolascapens@chromium.org>	Wed Feb 26 18:51:35 2014 +0000
tree	d12235c0db884fd7f2dbc6029975f68e64f2291f
parent	b4d192cd8c1573d7df93e64c98bddbe90b598618 [diff] [blame]