ES3: Fix crash when binding nullptr to DEPTH_STENCIL.
In some cases, binding nullptr could query for the internal format
of the null object, causing us to dereference null and crash.
BUG=angleproject:1080
TEST=dEQP-GLES3.functional.multisample.fbo_*
Change-Id: I592ab31dc1efadfac003c39051632fc2a0fff0cc
Reviewed-on: https://chromium-review.googlesource.com/286853
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Tested-by: Jamie Madill <jmadill@chromium.org>
diff --git a/src/libANGLE/Framebuffer.cpp b/src/libANGLE/Framebuffer.cpp
index 635c8c6..04c7856 100644
--- a/src/libANGLE/Framebuffer.cpp
+++ b/src/libANGLE/Framebuffer.cpp
@@ -601,19 +601,21 @@
if (binding == GL_DEPTH_STENCIL || binding == GL_DEPTH_STENCIL_ATTACHMENT)
{
// ensure this is a legitimate depth+stencil format
- FramebufferAttachment::Target target(binding, textureIndex);
- GLenum internalFormat = resource->getAttachmentInternalFormat(target);
- const InternalFormat &formatInfo = GetInternalFormatInfo(internalFormat);
- if (resource && formatInfo.depthBits > 0 && formatInfo.stencilBits > 0)
+ FramebufferAttachmentObject *attachmentObj = resource;
+ if (resource)
{
- mData.mDepthAttachment.attach(type, binding, textureIndex, resource);
- mData.mStencilAttachment.attach(type, binding, textureIndex, resource);
+ FramebufferAttachment::Target target(binding, textureIndex);
+ GLenum internalFormat = resource->getAttachmentInternalFormat(target);
+ const InternalFormat &formatInfo = GetInternalFormatInfo(internalFormat);
+ if (formatInfo.depthBits == 0 || formatInfo.stencilBits == 0)
+ {
+ // Attaching nullptr detaches the current attachment.
+ attachmentObj = nullptr;
+ }
}
- else
- {
- mData.mDepthAttachment.detach();
- mData.mStencilAttachment.detach();
- }
+
+ mData.mDepthAttachment.attach(type, binding, textureIndex, attachmentObj);
+ mData.mStencilAttachment.attach(type, binding, textureIndex, attachmentObj);
mImpl->onUpdateDepthStencilAttachment();
}
else