Google Git
Sign in
cos / mirrors / cros / chromiumos / overlays / chromiumos-overlay / refs/heads/firmware-spring-3833.B / . / media-plugins / o3d / files / o3d-38135.patch
blob: aebbc1047e97301611fe38851ad5b3b298351c28 [file] [log] [blame]
--- o3d/plugin/cross/texture_static_glue.cc (revision 182761)
+++ o3d/plugin/cross/texture_static_glue.cc (working copy)
@@ -86,6 +86,8 @@
copy_width += destination_x;
source_x -= destination_x;
destination_x = 0;
+ } else if (destination_x > INT_MAX - copy_width) {
+ return;
}
if (destination_x + copy_width > static_cast<int>(texture_width)) {
copy_width -= destination_x + copy_width - texture_width;
@@ -95,6 +97,8 @@
copy_height += destination_y;
source_y -= destination_y;
destination_y = 0;
+ } else if (destination_y > INT_MAX - copy_height) {
+ return;
}
if (destination_y + copy_height > static_cast<int>(texture_height)) {
copy_height -= destination_y + copy_height - texture_height;
@@ -472,7 +476,12 @@
int mip_height =
static_cast<int>(o3d::image::ComputeMipDimension(level, self->height()));
- if (x < 0 || x + width > mip_width || y < 0 || y + height > mip_height) {
+ if (x < 0 ||
+ x > INT_MAX - width ||
+ x + width > mip_width ||
+ y < 0 ||
+ y > INT_MAX - height ||
+ y + height > mip_height) {
O3D_ERROR(self->service_locator()) << "area out of range";
return empty;
}
@@ -560,7 +569,12 @@
int mip_length = static_cast<int>(o3d::image::ComputeMipDimension(
level, self->edge_length()));
- if (x < 0 || x + width > mip_length || y < 0 || y + height > mip_length) {
+ if (x < 0 ||
+ x > INT_MAX - width ||
+ x + width > mip_length ||
+ y < 0 ||
+ y > INT_MAX - height ||
+ y + height > mip_length) {
O3D_ERROR(self->service_locator()) << "area out of range";
return empty;
}
--- o3d/ppapi_plugin/cross/texture_static_glue.cc (revision 182761)
+++ o3d/ppapi_plugin/cross/texture_static_glue.cc (working copy)
@@ -86,6 +86,8 @@
copy_width += destination_x;
source_x -= destination_x;
destination_x = 0;
+ } else if (destination_x > INT_MAX - copy_width) {
+ return;
}
if (destination_x + copy_width > static_cast<int>(texture_width)) {
copy_width -= destination_x + copy_width - texture_width;
@@ -95,6 +97,8 @@
copy_height += destination_y;
source_y -= destination_y;
destination_y = 0;
+ } else if (destination_y > INT_MAX - copy_height) {
+ return;
}
if (destination_y + copy_height > static_cast<int>(texture_height)) {
copy_height -= destination_y + copy_height - texture_height;
@@ -472,7 +476,12 @@
int mip_height =
static_cast<int>(o3d::image::ComputeMipDimension(level, self->height()));
- if (x < 0 || x + width > mip_width || y < 0 || y + height > mip_height) {
+ if (x < 0 ||
+ x > INT_MAX - width ||
+ x + width > mip_width ||
+ y < 0 ||
+ y > INT_MAX - height ||
+ y + height > mip_height) {
O3D_ERROR(self->service_locator()) << "area out of range";
return empty;
}
@@ -560,7 +569,12 @@
int mip_length = static_cast<int>(o3d::image::ComputeMipDimension(
level, self->edge_length()));
- if (x < 0 || x + width > mip_length || y < 0 || y + height > mip_length) {
+ if (x < 0 ||
+ x > INT_MAX - width ||
+ x + width > mip_length ||
+ y < 0 ||
+ y > INT_MAX - height ||
+ y + height > mip_length) {
O3D_ERROR(self->service_locator()) << "area out of range";
return empty;
}
--- o3d/import/cross/raw_data.cc (revision 182761)
+++ o3d/import/cross/raw_data.cc (working copy)
@@ -127,11 +127,12 @@
// Load the file data into memory
data_.reset(new uint8[file_length]);
- length_ = file_length;
+ length_ = 0;
if (fread(data_.get(), file_length, 1, file) != 1) {
DLOG(ERROR) << "error reading file \"" << filename << "\"";
} else {
result = true;
+ length_ = file_length;
}
}
}
@@ -148,11 +149,11 @@
&data_,
&data_length,
&error_string);
- length_ = data_length;
if (!no_errors) {
O3D_ERROR(service_locator()) << error_string;
return false;
}
+ length_ = data_length;
return true;
}
// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- o3d/core/cross/primitive.cc (revision 182761)
+++ o3d/core/cross/primitive.cc (working copy)
@@ -47,6 +47,7 @@
bool Primitive::GetIndexCount(PrimitiveType primitive_type,
unsigned int primitive_count,
unsigned int* index_count) {
+ if (primitive_count > INT_MAX / 4) return false;
switch (primitive_type) {
case Primitive::POINTLIST:
*index_count = primitive_count;
--- o3d/core/cross/pack.cc (revision 182761)
+++ o3d/core/cross/pack.cc (working copy)
@@ -337,7 +337,9 @@
return NULL;
}
- if (width > renderer_->max_texture_width() ||
+ if (width < 0 || height < 0 || levels < 0 ||
+ (width && height > INT_MAX / 4 / width) ||
+ width > renderer_->max_texture_width() ||
height > renderer_->max_texture_height()) {
O3D_ERROR(service_locator())
<< "Maximum texture size is (" << renderer_->max_texture_width() << "x"
@@ -378,7 +380,9 @@
return NULL;
}
- if (edge_length > renderer_->max_texture_width() ||
+ if (edge_length < 0 || levels < 0 ||
+ (edge_length && edge_length > INT_MAX / 4 / 6 / edge_length) ||
+ edge_length > renderer_->max_texture_width() ||
edge_length > renderer_->max_texture_height()) {
O3D_ERROR(service_locator())
<< "Maximum edge_length is "
@@ -418,7 +422,9 @@
return NULL;
}
- if (width > renderer_->max_texture_width() ||
+ if (width < 0 || height < 0 ||
+ (width && height > INT_MAX / 4 / width) ||
+ width > renderer_->max_texture_width() ||
height > renderer_->max_texture_height()) {
O3D_ERROR(service_locator())
<< "Maximum texture size is (" << renderer_->max_texture_width() << "x"
--- o3d/core/cross/skin.cc (revision 182761)
+++ o3d/core/cross/skin.cc (working copy)
@@ -61,6 +61,7 @@
void Skin::SetVertexInfluences(unsigned vertex_index,
const Skin::Influences& influences) {
+ if (vertex_index > INT_MAX) return;
if (influences_array_.size() <= vertex_index) {
influences_array_.resize(vertex_index + 1);
}
@@ -103,6 +104,7 @@
}
void Skin::SetInverseBindPoseMatrix(unsigned index, const Matrix4& matrix) {
+ if (index > INT_MAX) return;
if (inverse_bind_pose_matrices_.size() <= index) {
inverse_bind_pose_matrices_.resize(index + 1, Matrix4::identity());
}
--- o3d/core/cross/texture.cc (revision 182761)
+++ o3d/core/cross/texture.cc (working copy)
@@ -283,7 +283,8 @@
O3D_ERROR(service_locator()) << "source level out of range";
return;
}
- if (source_level + num_levels >= levels()) {
+ if (num_levels < 0 || num_levels >= levels() ||
+ source_level + num_levels >= levels()) {
O3D_ERROR(service_locator()) << "num levels out of range";
return;
}
@@ -692,7 +693,8 @@
O3D_ERROR(service_locator()) << "source level out of range";
return;
}
- if (source_level + num_levels >= levels()) {
+ if (num_levels < 0 || num_levels >= levels() ||
+ source_level + num_levels >= levels()) {
O3D_ERROR(service_locator()) << "num levels out of range";
return;
}
--- o3d/core/cross/bitmap.cc (revision 182761)
+++ o3d/core/cross/bitmap.cc (working copy)
@@ -421,7 +421,9 @@
return;
}
unsigned int max_mips = image::ComputeMipMapCount(width(), height());
- if (source_level + num_levels >=
+ if (source_level >= static_cast<int>(max_mips) ||
+ num_levels >= static_cast<int>(max_mips) ||
+ source_level + num_levels >=
static_cast<int>(max_mips) || num_levels < 0) {
O3D_ERROR(service_locator()) << "num levels out of range.";
return;
--- o3d/core/cross/param_array.cc (revision 182761)
+++ o3d/core/cross/param_array.cc (working copy)
@@ -138,6 +138,7 @@
void ParamArray::RemoveParams(unsigned start_index, unsigned num_to_remove) {
if (start_index < params_.size() && num_to_remove > 0) {
unsigned end_index = start_index + num_to_remove;
+ if (end_index < start_index) return;
if (end_index > params_.size()) {
end_index = params_.size();
}
--- o3d/core/cross/canvas.cc (revision 182761)
+++ o3d/core/cross/canvas.cc (working copy)
@@ -62,6 +62,9 @@
}
bool Canvas::SetSize(int width, int height) {
+ if (width < 0 || height < 0 || width > INT_MAX / 4 || height > INT_MAX / 4)
+ return false;
+
width_ = width;
height_ = height;
--- o3d/core/cross/buffer.cc (revision 182761)
+++ o3d/core/cross/buffer.cc (working copy)
@@ -308,9 +308,12 @@
return NULL;
}
+ if (num_components > INT_MAX / 4) return NULL;
+
Field::Ref field = creator->create_function(service_locator(), this,
num_components, stride_);
unsigned int new_stride = stride_ + field->size();
+ if (new_stride < stride_) return NULL;
ReshuffleBuffer(new_stride, NULL);
fields_.push_back(field);
--- third_party/libpng/README.chromium (revision 97669)
+++ third_party/libpng/README.chromium (working copy)
@@ -10,3 +10,6 @@
Updated to 1.2.45, no changes to the source files but all unneeded files
stripped.
+
+- One custom patch for bug 112822, to be sent upstream.
+- Also a signedness condition from upstream relating to the above, bug 116162.
--- third_party/libpng/pngrutil.c (revision 97669)
+++ third_party/libpng/pngrutil.c (working copy)
@@ -247,8 +247,8 @@
{
if (output != 0 && output_size > count)
{
- int copy = output_size - count;
- if (avail < copy) copy = avail;
+ png_size_t copy = output_size - count;
+ if ((png_size_t) avail < copy) copy = (png_size_t) avail;
png_memcpy(output + count, png_ptr->zbuf, copy);
}
count += avail;
@@ -363,8 +363,15 @@
{
/* Success (maybe) - really uncompress the chunk. */
png_size_t new_size = 0;
- png_charp text = png_malloc_warn(png_ptr,
- prefix_size + expanded_size + 1);
+ png_charp text = NULL;
+ /* Need to check for both truncation (64-bit platforms) and integer
+ * overflow.
+ */
+ if (prefix_size + expanded_size > prefix_size &&
+ prefix_size + expanded_size < 0xffffffffU)
+ {
+ text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
+ }
if (text != NULL)
{