Prevent integer-overflow on scissor test
Currently we don't restrict any of the parameters (x, y, width, height)
to glScissor aside from forcing width and height to be non-negative.
This means large parameters can cause overflows during the scissor test.
So we change width/height in the cases where an overflow will happen.
Bug chromium:969071
Change-Id: Icb6992551aed6e3e086f96d89931eae0e99899a4
Reviewed-on: https://swiftshader-review.googlesource.com/c/SwiftShader/+/32608
Presubmit-Ready: Sean Risser <srisser@google.com>
Kokoro-Presubmit: kokoro <noreply+kokoro@google.com>
Tested-by: Sean Risser <srisser@google.com>
Reviewed-by: Nicolas Capens <nicolascapens@google.com>
diff --git a/src/OpenGL/libGLESv2/Context.cpp b/src/OpenGL/libGLESv2/Context.cpp
index 787b6d6..f5db001 100644
--- a/src/OpenGL/libGLESv2/Context.cpp
+++ b/src/OpenGL/libGLESv2/Context.cpp
@@ -694,6 +694,20 @@
{
mState.scissorX = x;
mState.scissorY = y;
+
+ // An overflow happens when (infinite precision) X + Width > INT32_MAX. We
+ // can change that formula to "X > INT32_MAX - Width". And when we bring it
+ // down to 32-bit precision, we know it's safe because width is non-negative.
+ if (x > INT32_MAX - width)
+ {
+ width = INT32_MAX - x;
+ }
+
+ if (y > INT32_MAX - height)
+ {
+ height = INT32_MAX - y;
+ }
+
mState.scissorWidth = width;
mState.scissorHeight = height;
}
