Check offset argument to gpu::gles2::BufferManager::BufferInfo::SetRange is not negative.

Prevents writing to buffer out of range. TEST=try BUG=none Review URL: http://codereview.chromium.org/5525001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@67937 0039d316-1c4b-4281-b951-d872f2087c98
author: apatrick@chromium.org <apatrick@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-12-02 01:42:21 +0000
committer: apatrick@chromium.org <apatrick@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-12-02 01:42:21 +0000
commit: fd32be412c5895883f507bf97fff3f3425843951 (patch)
tree: b543f4b06dcea9a5b4892b789c2637e5fadae13f /gpu
parent: 368ac0a978b409d0b83fe3bd6cd06213b69adf37 (diff)
download: chromium_src-fd32be412c5895883f507bf97fff3f3425843951.zip
chromium_src-fd32be412c5895883f507bf97fff3f3425843951.tar.gz
chromium_src-fd32be412c5895883f507bf97fff3f3425843951.tar.bz2
3 files changed, 19 insertions, 9 deletions
diff --git a/gpu/command_buffer/build_gles2_cmd_buffer.py b/gpu/command_buffer/build_gles2_cmd_buffer.py
index 331159c..0e9d7e5 100755
--- a/gpu/command_buffer/build_gles2_cmd_buffer.py
+++ b/gpu/command_buffer/build_gles2_cmd_buffer.py
@@ -65,7 +65,7 @@ GL_APICALL void         GL_APIENTRY glBlendEquationSeparate (GLenumEquation mode
 GL_APICALL void         GL_APIENTRY glBlendFunc (GLenumSrcBlendFactor sfactor, GLenumDstBlendFactor dfactor);
 GL_APICALL void         GL_APIENTRY glBlendFuncSeparate (GLenumSrcBlendFactor srcRGB, GLenumDstBlendFactor dstRGB, GLenumSrcBlendFactor srcAlpha, GLenumDstBlendFactor dstAlpha);
 GL_APICALL void         GL_APIENTRY glBufferData (GLenumBufferTarget target, GLsizeiptr size, const void* data, GLenumBufferUsage usage);
-GL_APICALL void         GL_APIENTRY glBufferSubData (GLenumBufferTarget target, GLintptr offset, GLsizeiptr size, const void* data);
+GL_APICALL void         GL_APIENTRY glBufferSubData (GLenumBufferTarget target, GLintptrNotNegative offset, GLsizeiptr size, const void* data);
 GL_APICALL GLenum       GL_APIENTRY glCheckFramebufferStatus (GLenumFrameBufferTarget target);
 GL_APICALL void         GL_APIENTRY glClear (GLbitfield mask);
 GL_APICALL void         GL_APIENTRY glClearColor (GLclampf red, GLclampf green, GLclampf blue, GLclampf alpha);
@@ -203,7 +203,7 @@ GL_APICALL void         GL_APIENTRY glGenSharedIdsCHROMIUM (GLuint namespace_id,
 GL_APICALL void         GL_APIENTRY glDeleteSharedIdsCHROMIUM (GLuint namespace_id, GLsizeiNotNegative n, const GLuint* ids);
 GL_APICALL void         GL_APIENTRY glRegisterSharedIdsCHROMIUM (GLuint namespace_id, GLsizeiNotNegative n, const GLuint* ids);
 GL_APICALL GLboolean    GL_APIENTRY glCommandBufferEnableCHROMIUM (const char* feature);
-GL_APICALL void*        GL_APIENTRY glMapBufferSubDataCHROMIUM (GLuint target, GLintptr offset, GLsizeiptr size, GLenum access);
+GL_APICALL void*        GL_APIENTRY glMapBufferSubDataCHROMIUM (GLuint target, GLintptrNotNegative offset, GLsizeiptr size, GLenum access);
 GL_APICALL void         GL_APIENTRY glUnmapBufferSubDataCHROMIUM (const void* mem);
 GL_APICALL void*        GL_APIENTRY glMapTexSubImage2DCHROMIUM (GLenum target, GLint level, GLint xoffset, GLint yoffset, GLsizei width, GLsizei height, GLenum format, GLenum type, GLenum access);
 GL_APICALL void         GL_APIENTRY glUnmapTexSubImage2DCHROMIUM (const void* mem);
@@ -4087,8 +4087,8 @@ class SizeArgument(Argument):
 class SizeNotNegativeArgument(SizeArgument):
   """class for GLsizeiNotNegative. It's NEVER allowed to be negative"""
 
-  def __init__(self, name, type):
-    SizeArgument.__init__(self, name, "GLsizei")
+  def __init__(self, name, type, gl_type):
+    SizeArgument.__init__(self, name, gl_type)
 
   def GetInvalidArg(self, offset, index):
     """overridden from SizeArgument."""
@@ -4802,10 +4802,13 @@ def CreateArg(arg_string):
   elif arg_parts[0].startswith('GLboolean') and len(arg_parts[0]) > 9:
     return BoolArgument(arg_parts[-1], " ".join(arg_parts[0:-1]))
   elif (arg_parts[0].startswith('GLint') and len(arg_parts[0]) > 5 and
-        arg_parts[0] != "GLintptr"):
+        not arg_parts[0].startswith('GLintptr')):
     return IntArgument(arg_parts[-1], " ".join(arg_parts[0:-1]))
-  elif arg_parts[0].startswith('GLsizeiNotNegative'):
-    return SizeNotNegativeArgument(arg_parts[-1], " ".join(arg_parts[0:-1]))
+  elif (arg_parts[0].startswith('GLsizeiNotNegative') or
+        arg_parts[0].startswith('GLintptrNotNegative')):
+    return SizeNotNegativeArgument(arg_parts[-1],
+                                   " ".join(arg_parts[0:-1]),
+                                   arg_parts[0][0:-11])
   elif arg_parts[0].startswith('GLsize'):
     return SizeArgument(arg_parts[-1], " ".join(arg_parts[0:-1]))
   else:
diff --git a/gpu/command_buffer/service/buffer_manager.cc b/gpu/command_buffer/service/buffer_manager.cc
index 07a9753..fadbbad 100644
--- a/gpu/command_buffer/service/buffer_manager.cc
+++ b/gpu/command_buffer/service/buffer_manager.cc
@@ -79,7 +79,7 @@ void BufferManager::BufferInfo::SetSize(GLsizeiptr size, bool shadow) {
 bool BufferManager::BufferInfo::SetRange(
     GLintptr offset, GLsizeiptr size, const GLvoid * data) {
   DCHECK(!IsDeleted());
-  if (offset + size < offset || offset + size > size_) {
+  if (offset < 0 || offset + size < offset || offset + size > size_) {
     return false;
   }
   if (shadowed_) {
@@ -91,7 +91,10 @@ bool BufferManager::BufferInfo::SetRange(
 
 const void* BufferManager::BufferInfo::GetRange(
     GLintptr offset, GLsizeiptr size) const {
-  if (!shadowed_ || (offset + size < offset || offset + size > size_)) {
+  if (!shadowed_) {
+    return NULL;
+  }
+  if (offset < 0 || offset + size < offset || offset + size > size_) {
     return NULL;
   }
   return shadow_.get() + offset;
diff --git a/gpu/command_buffer/service/buffer_manager_unittest.cc b/gpu/command_buffer/service/buffer_manager_unittest.cc
index 37bd00f..af09788 100644
--- a/gpu/command_buffer/service/buffer_manager_unittest.cc
+++ b/gpu/command_buffer/service/buffer_manager_unittest.cc
@@ -99,6 +99,8 @@ TEST_F(BufferManagerTest, SetRange) {
   EXPECT_TRUE(info->SetRange(sizeof(data), 0, data));
   EXPECT_FALSE(info->SetRange(sizeof(data), 1, data));
   EXPECT_FALSE(info->SetRange(0, sizeof(data) + 1, data));
+  EXPECT_FALSE(info->SetRange(-1, sizeof(data), data));
+  EXPECT_FALSE(info->SetRange(0, -1, data));
 }
 
 TEST_F(BufferManagerTest, GetRange) {
@@ -117,6 +119,8 @@ TEST_F(BufferManagerTest, GetRange) {
   EXPECT_EQ(buf + 1, buf1);
   EXPECT_TRUE(info->GetRange(sizeof(data), 1) == NULL);
   EXPECT_TRUE(info->GetRange(0, sizeof(data) + 1) == NULL);
+  EXPECT_TRUE(info->GetRange(-1, sizeof(data)) == NULL);
+  EXPECT_TRUE(info->GetRange(-0, -1) == NULL);
 }
 
 TEST_F(BufferManagerTest, GetMaxValueForRangeUint8) {
author	apatrick@chromium.org <apatrick@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-12-02 01:42:21 +0000
committer	apatrick@chromium.org <apatrick@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-12-02 01:42:21 +0000
commit	fd32be412c5895883f507bf97fff3f3425843951 (patch)
tree	b543f4b06dcea9a5b4892b789c2637e5fadae13f /gpu
parent	368ac0a978b409d0b83fe3bd6cd06213b69adf37 (diff)
download	chromium_src-fd32be412c5895883f507bf97fff3f3425843951.zip chromium_src-fd32be412c5895883f507bf97fff3f3425843951.tar.gz chromium_src-fd32be412c5895883f507bf97fff3f3425843951.tar.bz2