Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c620a52b authored by Jack Palevich's avatar Jack Palevich
Browse files

Add size checks for glBufferData and glBufferSubData 

Without the size checks it's possible for calls to glBufferData
and glBufferSubData to read off the end of the Buffer object's
data, which can cause page faults.

Fix end-of-line characters for the "spec" files. (That's why
every line of these files is changed.)

Enhance our code emitter to properly handle bounds checks for
possibly-null pointers.
parent d443ba45

core/jni/android_opengl_GLES11.cpp

+12 −0
Original line number Diff line number Diff line
@@ -144,6 +144,10 @@ android_glBufferData__IILjava_nio_Buffer_2I 


    if (data_buf) {

        data = (GLvoid *)getPointer(_env, data_buf, &_array, &_remaining);

        if (_remaining < size) {

            _env->ThrowNew(IAEClass, "remaining() < size");

            goto exit;

        }

    }

    glBufferData(

        (GLenum)target,
@@ -151,6 +155,8 @@ android_glBufferData__IILjava_nio_Buffer_2I 
        (GLvoid *)data,

        (GLenum)usage

    );



exit:

    if (_array) {

        releasePointer(_env, _array, data, JNI_FALSE);

    }
@@ -165,12 +171,18 @@ android_glBufferSubData__IIILjava_nio_Buffer_2 
    GLvoid *data = (GLvoid *) 0;



    data = (GLvoid *)getPointer(_env, data_buf, &_array, &_remaining);

    if (_remaining < size) {

        _env->ThrowNew(IAEClass, "remaining() < size");

        goto exit;

    }

    glBufferSubData(

        (GLenum)target,

        (GLintptr)offset,

        (GLsizeiptr)size,

        (GLvoid *)data

    );



exit:

    if (_array) {

        releasePointer(_env, _array, data, JNI_FALSE);

    }

core/jni/com_google_android_gles_jni_GLImpl.cpp

+12 −0
Original line number Diff line number Diff line
@@ -3593,6 +3593,10 @@ android_glBufferData__IILjava_nio_Buffer_2I 


    if (data_buf) {

        data = (GLvoid *)getPointer(_env, data_buf, &_array, &_remaining);

        if (_remaining < size) {

            _env->ThrowNew(IAEClass, "remaining() < size");

            goto exit;

        }

    }

    glBufferData(

        (GLenum)target,
@@ -3600,6 +3604,8 @@ android_glBufferData__IILjava_nio_Buffer_2I 
        (GLvoid *)data,

        (GLenum)usage

    );



exit:

    if (_array) {

        releasePointer(_env, _array, data, JNI_FALSE);

    }
@@ -3614,12 +3620,18 @@ android_glBufferSubData__IIILjava_nio_Buffer_2 
    GLvoid *data = (GLvoid *) 0;



    data = (GLvoid *)getPointer(_env, data_buf, &_array, &_remaining);

    if (_remaining < size) {

        _env->ThrowNew(IAEClass, "remaining() < size");

        goto exit;

    }

    glBufferSubData(

        (GLenum)target,

        (GLintptr)offset,

        (GLsizeiptr)size,

        (GLvoid *)data

    );



exit:

    if (_array) {

        releasePointer(_env, _array, data, JNI_FALSE);

    }

opengl/tools/glgen/specs/gles11/checks.spec

+62 −61
Original line number Diff line number Diff line
@@ -23,7 +23,8 @@ glPointParameter check params 1 
glTexEnv ifcheck params 1 pname GL_TEXTURE_ENV_MODE,GL_COMBINE_RGB,GL_COMBINE_ALPHA ifcheck params 4 pname GL_TEXTURE_ENV_COLOR

glTexImage2D nullAllowed

glTexSubImage2D nullAllowed

glBufferData nullAllowed

glBufferData nullAllowed check data size

glBufferSubData check data size

glTexParameter check params 1

glQueryMatrixxOES check mantissa 16 check exponent 16 return -1

glDrawTexfvOES check coords 5

opengl/tools/glgen/specs/jsr239/glspec-checks

+60 −59
Original line number Diff line number Diff line
@@ -21,7 +21,8 @@ glPointParameter check params 1 
glTexEnv ifcheck params 1 pname GL_TEXTURE_ENV_MODE,GL_COMBINE_RGB,GL_COMBINE_ALPHA ifcheck params 4 pname GL_TEXTURE_ENV_COLOR

glTexImage2D nullAllowed

glTexSubImage2D nullAllowed

glBufferData nullAllowed

glBufferData nullAllowed check data size

glBufferSubData check data size

glTexParameter check params 1

glQueryMatrixxOES check mantissa 16 check exponent 16 return -1

glDrawTexfvOES check coords 5

opengl/tools/glgen/src/JniCodeEmitter.java

+5 −5
Original line number Diff line number Diff line
@@ -907,13 +907,13 @@ public class JniCodeEmitter { 
                                    ");");

                    }



                    emitNativeBoundsChecks(cfunc, cname, out, true,

                                           emitExceptionCheck,

                                           offset, remaining, nullAllowed ? "        " : "    ");



                    if (nullAllowed) {

                        out.println(indent + "}");

                    }



                    emitNativeBoundsChecks(cfunc, cname, out, true,

                                           emitExceptionCheck,

                                           offset, remaining, "    ");

                }

            }

        }