Protect against integer overflows in the IndexBuffer class by validating that the new write position will not overflow. Issue 444 Signed-off-by: Jamie Madil Signed-off-by: Shannon Woods Author: Geoff Lang

commit: d81cf64c467689b9f7126d0d0064d6387c0adc5d [log] [tgz]
author: Geoff Lang <geofflang@google.com> Tue Jul 09 16:02:30 2013 -0400
committer: Shannon Woods <shannonwoods@chromium.org> Fri Jul 19 18:08:10 2013 -0400
tree: 4bb0d2f1ba5bee3bcb42f614ca262dff28f9f065
parent: fe5b2726013d96655537e1c4d13c70762104e134 [diff] [blame]
diff --git a/src/libGLESv2/renderer/IndexBuffer.cpp b/src/libGLESv2/renderer/IndexBuffer.cpp
index 16fd782..3d5d7a7 100644
--- a/src/libGLESv2/renderer/IndexBuffer.cpp
+++ b/src/libGLESv2/renderer/IndexBuffer.cpp

@@ -130,12 +130,13 @@
 {
     bool result = true;
     unsigned int curBufferSize = getBufferSize();
+    unsigned int writePos = getWritePosition();
     if (size > curBufferSize)
     {
         result = setBufferSize(std::max(size, 2 * curBufferSize), indexType);
         setWritePosition(0);
     }
-    else if (getWritePosition() + size > curBufferSize)
+    else if (writePos + size > curBufferSize || writePos + size < writePos)
     {
         if (!discard())
         {
commit	d81cf64c467689b9f7126d0d0064d6387c0adc5d	[log] [tgz]
author	Geoff Lang <geofflang@google.com>	Tue Jul 09 16:02:30 2013 -0400
committer	Shannon Woods <shannonwoods@chromium.org>	Fri Jul 19 18:08:10 2013 -0400
tree	4bb0d2f1ba5bee3bcb42f614ca262dff28f9f065
parent	fe5b2726013d96655537e1c4d13c70762104e134 [diff] [blame]