Changeset 71903 in vbox for trunk/src/VBox

Timestamp:

Apr 18, 2018 4:22:34 PM (7 years ago)

Author:

vboxsync

Message:

3D: bugref:9096, Chromium code cleanup

Location:

trunk/src/VBox

Files:

• GuestHost/OpenGL/state_tracker/state_client.c (modified) (1 diff)
• GuestHost/OpenGL/state_tracker/state_program.c (modified) (3 diffs)
• HostServices/SharedOpenGL/unpacker/unpack_arrays.c (modified) (1 diff)
• HostServices/SharedOpenGL/unpacker/unpack_program.c (modified) (2 diffs)

trunk/src/VBox/GuestHost/OpenGL/state_tracker/state_client.c

@@ -2401 +2401 @@
     CRASSERT(array && index>=0 && index<CRSTATECLIENT_MAX_VERTEXARRAYS);
 
-    if (index<7)
+    if (array == NULL || index < 0 || index >= CRSTATECLIENT_MAX_VERTEXARRAYS)
+    {
+        return NULL;
+    }
+
+    if (index < 7)
     {
         switch (index)

trunk/src/VBox/GuestHost/OpenGL/state_tracker/state_program.c

@@ -692 +692 @@
 
     if (target == GL_VERTEX_PROGRAM_NV) {
+        if (index >= UINT32_MAX - num) {
+            crStateError(__LINE__, __FILE__, GL_INVALID_VALUE,
+                "glProgramParameters4dvNV(index+num) integer overflow");
+            return;
+        }
+
         if (index + num < g->limits.maxVertexProgramEnvParams) {
             GLuint i;
@@ -732 +738 @@
 
     if (target == GL_VERTEX_PROGRAM_NV) {
+        if (index >= UINT32_MAX - num) {
+            crStateError(__LINE__, __FILE__, GL_INVALID_VALUE,
+                "glProgramParameters4dvNV(index+num) integer overflow");
+            return;
+        }
+
         if (index + num < g->limits.maxVertexProgramEnvParams) {
             GLuint i;
@@ -850 +862 @@
         return;
     }
-    
+
     if (target == GL_VERTEX_PROGRAM_NV) {
-        if (address & 0x3) {
-      /* addr must be multiple of four */
-      crStateError(__LINE__, __FILE__, GL_INVALID_VALUE,
+        if (address & 0x3 || address >= g->limits.maxVertexProgramEnvParams) {
+            crStateError(__LINE__, __FILE__, GL_INVALID_VALUE,
                                      "glTrackMatrixNV(address)");
-      return;
+            return;
         }
 

trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_arrays.c

@@ -225 +225 @@
     unsigned char *data;
     
-    offset = 2*sizeof(int)+12;
+    if (first < 0 || count <= 0 || first >= INT32_MAX - count)
+    {
+        crError("crUnpackExtendLockArraysEXT: first(%i) count(%i), parameters out of range", first, count);
+        return;
+    }
+
+    if (numenabled <= 0 || numenabled >= CRSTATECLIENT_MAX_VERTEXARRAYS)
+    {
+        crError("crUnpackExtendLockArraysEXT: numenabled(%i), parameter out of range", numenabled);
+        return;
+    }
+
+    offset = 2 * sizeof(int) + 12;
 
     /*crDebug("crUnpackExtendLockArraysEXT(%i, %i) ne=%i", first, count, numenabled);*/
 
-    for (i=0; i<numenabled; ++i)
+    for (i = 0; i < numenabled; ++i)
     {
         index = READ_DATA(offset, int);
         offset += sizeof(int);
+
         cp = crStateGetClientPointerByIndex(index, &c->array);
+
         CRASSERT(cp && cp->enabled && (!cp->buffer || !cp->buffer->id));
-        data = crAlloc((first+count)*cp->bytesPerIndex);
-        crMemcpy(data+first*cp->bytesPerIndex, DATA_POINTER(offset, GLvoid), count*cp->bytesPerIndex);
-        offset += count*cp->bytesPerIndex;
-        /*crDebug("crUnpackExtendLockArraysEXT: old cp(%i): en/l=%i(%i) p=%p size=%i type=0x%x n=%i str=%i pp=%p pstr=%i",
-                index, cp->enabled, cp->locked, cp->p, cp->size, cp->type, cp->normalized, cp->stride, cp->prevPtr, cp->prevStride);*/
-        crUnpackSetClientPointerByIndex(index, cp->size, cp->type, cp->normalized, 0, data, c);
-        /*crDebug("crUnpackExtendLockArraysEXT: new cp(%i): en/l=%i(%i) p=%p size=%i type=0x%x n=%i str=%i pp=%p pstr=%i",
-                index, cp->enabled, cp->locked, cp->p, cp->size, cp->type, cp->normalized, cp->stride, cp->prevPtr, cp->prevStride);*/
-    }
+
+        if (cp && cp->bytesPerIndex > 0)
+        {
+            if (first + count >= INT32_MAX / cp->bytesPerIndex)
+            {
+                crError("crUnpackExtendLockArraysEXT: first(%i) count(%i) bpi(%i), parameters out of range", first, count, cp->bytesPerIndex);
+                return;
+            }
+
+            data = crAlloc((first + count) * cp->bytesPerIndex);
+
+            if (data)
+            {
+                crMemcpy(data + first * cp->bytesPerIndex, DATA_POINTER(offset, GLvoid), count * cp->bytesPerIndex);
+                /*crDebug("crUnpackExtendLockArraysEXT: old cp(%i): en/l=%i(%i) p=%p size=%i type=0x%x n=%i str=%i pp=%p pstr=%i",
+                        index, cp->enabled, cp->locked, cp->p, cp->size, cp->type, cp->normalized, cp->stride, cp->prevPtr, cp->prevStride);*/
+                crUnpackSetClientPointerByIndex(index, cp->size, cp->type, cp->normalized, 0, data, c);
+                /*crDebug("crUnpackExtendLockArraysEXT: new cp(%i): en/l=%i(%i) p=%p size=%i type=0x%x n=%i str=%i pp=%p pstr=%i",
+                        index, cp->enabled, cp->locked, cp->p, cp->size, cp->type, cp->normalized, cp->stride, cp->prevPtr, cp->prevStride);*/
+            }
+            else
+            {
+                crError("crUnpackExtendLockArraysEXT: crAlloc failed");
+                return;
+            }
+        }
+        else
+        {
+            crError("crUnpackExtendLockArraysEXT: wrong CRClientState %i", index);
+            return;
+        }
+
+        offset += count * cp->bytesPerIndex;
+    }
+
     cr_unpackDispatch.LockArraysEXT(first, count);
 }

trunk/src/VBox/HostServices/SharedOpenGL/unpacker/unpack_program.c

@@ -43 +43 @@
         GLuint index = READ_DATA(12, GLuint);
         GLuint num = READ_DATA(16, GLuint);
-        GLdouble *params = (GLdouble *) crAlloc(num * 4 * sizeof(GLdouble));
+    GLdouble *params;
+
+    if (num >= UINT32_MAX / (4 * sizeof(GLdouble)))
+    {
+        crError("crUnpackExtendProgramParameters4dvNV: parameter 'num' is out of range");
+        return;
+    }
+
+    params = (GLdouble *)crAlloc(num * 4 * sizeof(GLdouble));
+
         if (params) {
                 GLuint i;
                 for (i = 0; i < 4 * num; i++) {
-                        params[i] = READ_DATA(20 + i * 8, GLdouble);
+            params[i] = READ_DATA(20 + i * sizeof(GLdouble), GLdouble);
                 }
                 cr_unpackDispatch.ProgramParameters4dvNV(target, index, num, params);
@@ -60 +69 @@
         GLuint index = READ_DATA(12, GLuint);
         GLuint num = READ_DATA(16, GLuint);
-        GLfloat *params = (GLfloat *) crAlloc(num * 4 * sizeof(GLfloat));
+    GLfloat *params;
+
+    if (num >= UINT32_MAX / (4 * sizeof(GLfloat)))
+    {
+        crError("crUnpackExtendProgramParameters4fvNV: parameter 'num' is out of range");
+        return;
+    }
+
+    params = (GLfloat *)crAlloc(num * 4 * sizeof(GLfloat));
+
         if (params) {
                 GLuint i;
                 for (i = 0; i < 4 * num; i++) {
-                        params[i] = READ_DATA(20 + i * 4, GLfloat);
+            params[i] = READ_DATA(20 + i * sizeof(GLfloat), GLfloat);
                 }
                 cr_unpackDispatch.ProgramParameters4fvNV(target, index, num, params);