Protect against integer overflows in the VertexBuffer class by validating the reserved space.
Issue 444
Signed-off-by: Jamie Madil
Signed-off-by: Shannon Woods
Author: Geoff Lang
diff --git a/src/libGLESv2/renderer/VertexDataManager.cpp b/src/libGLESv2/renderer/VertexDataManager.cpp
index 2cd18d8..4a57d91 100644
--- a/src/libGLESv2/renderer/VertexDataManager.cpp
+++ b/src/libGLESv2/renderer/VertexDataManager.cpp
@@ -121,12 +121,18 @@
if (staticBuffer->getBufferSize() == 0)
{
int totalCount = ElementsInBuffer(attribs[i], buffer->size());
- staticBuffer->reserveVertexSpace(attribs[i], totalCount, 0);
+ if (!staticBuffer->reserveVertexSpace(attribs[i], totalCount, 0))
+ {
+ return GL_OUT_OF_MEMORY;
+ }
}
}
else
{
- mStreamingBuffer->reserveVertexSpace(attribs[i], count, instances);
+ if (!mStreamingBuffer->reserveVertexSpace(attribs[i], count, instances))
+ {
+ return GL_OUT_OF_MEMORY;
+ }
}
}
}
@@ -218,7 +224,11 @@
if (memcmp(&mCurrentValue[i], ¤tValues[i], sizeof(gl::VertexAttribCurrentValueData)) != 0)
{
- buffer->reserveVertexSpace(attribs[i], 1, 0);
+ if (!buffer->reserveVertexSpace(attribs[i], 1, 0))
+ {
+ return GL_OUT_OF_MEMORY;
+ }
+
int streamOffset = buffer->storeVertexAttributes(attribs[i], currentValues[i], 0, 1, 0);
if (streamOffset == -1)
{