Commit aa094bf2 authored by Apertis CI's avatar Apertis CI

Merge updates from debian/buster

parents 59b1c857 c4ab490b
Pipeline #106866 passed with stages
in 36 minutes and 27 seconds
This diff is collapsed.
......@@ -1171,10 +1171,6 @@ pref("services.sync.prefs.sync.browser.link.open_newwindow", true);
pref("services.sync.prefs.sync.browser.newtabpage.enabled", true);
pref("services.sync.prefs.sync.browser.newtabpage.pinned", true);
pref("services.sync.prefs.sync.browser.offline-apps.notify", true);
pref("services.sync.prefs.sync.browser.safebrowsing.phishing.enabled", true);
pref("services.sync.prefs.sync.browser.safebrowsing.malware.enabled", true);
pref("services.sync.prefs.sync.browser.safebrowsing.downloads.enabled", true);
pref("services.sync.prefs.sync.browser.safebrowsing.passwords.enabled", true);
pref("services.sync.prefs.sync.browser.search.update", true);
pref("services.sync.prefs.sync.browser.sessionstore.restore_on_demand", true);
pref("services.sync.prefs.sync.browser.startup.homepage", true);
......@@ -1194,7 +1190,6 @@ pref("services.sync.prefs.sync.dom.disable_open_during_load", true);
pref("services.sync.prefs.sync.dom.disable_window_flip", true);
pref("services.sync.prefs.sync.dom.disable_window_move_resize", true);
pref("services.sync.prefs.sync.dom.event.contextmenu.enabled", true);
pref("services.sync.prefs.sync.extensions.personas.current", true);
pref("services.sync.prefs.sync.extensions.update.enabled", true);
pref("services.sync.prefs.sync.intl.accept_languages", true);
pref("services.sync.prefs.sync.layout.spellcheckDefault", true);
......@@ -1205,8 +1200,6 @@ pref("services.sync.prefs.sync.network.cookie.lifetimePolicy", true);
pref("services.sync.prefs.sync.network.cookie.lifetime.days", true);
pref("services.sync.prefs.sync.network.cookie.thirdparty.sessionOnly", true);
pref("services.sync.prefs.sync.permissions.default.image", true);
pref("services.sync.prefs.sync.pref.advanced.images.disable_button.view_image", true);
pref("services.sync.prefs.sync.pref.advanced.javascript.disable_button.advanced", true);
pref("services.sync.prefs.sync.pref.downloads.disable_button.edit_actions", true);
pref("services.sync.prefs.sync.pref.privacy.disable_button.cookie_exceptions", true);
pref("services.sync.prefs.sync.privacy.clearOnShutdown.cache", true);
......@@ -1225,15 +1218,16 @@ pref("services.sync.prefs.sync.privacy.resistFingerprinting", true);
pref("services.sync.prefs.sync.privacy.reduceTimerPrecision", true);
pref("services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.microseconds", true);
pref("services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.jitter", true);
pref("services.sync.prefs.sync.security.OCSP.enabled", true);
pref("services.sync.prefs.sync.security.OCSP.require", true);
pref("services.sync.prefs.sync.security.default_personal_cert", true);
pref("services.sync.prefs.sync.security.tls.version.min", true);
pref("services.sync.prefs.sync.security.tls.version.max", true);
pref("services.sync.prefs.sync.services.sync.syncedTabs.showRemoteIcons", true);
pref("services.sync.prefs.sync.signon.rememberSignons", true);
pref("services.sync.prefs.sync.spellchecker.dictionary", true);
pref("services.sync.prefs.sync.xpinstall.whitelist.required", true);
// A preference which, if false, means sync will only apply incoming preference
// changes if there's already a local services.sync.prefs.sync.* control pref.
// If true, all incoming preferences will be applied and the local "control
// pref" updated accordingly.
pref("services.sync.prefs.dangerously_allow_arbitrary", false);
// A preference that controls whether we should show the icon for a remote tab.
// This pref has no UI but exists because some people may be concerned that
......
......@@ -10,4 +10,4 @@
# hardcoded milestones in the tree from these two files.
#--------------------------------------------------------
60.7.2
60.8.0
firefox-esr (60.8.0esr-1~deb10u1) buster-security; urgency=medium
* New upstream release.
* Fixes for mfsa2019-22, also known as:
CVE-2019-9811, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713,
CVE-2019-11729, CVE-2019-11715, CVE-2019-11717, CVE-2019-11719,
CVE-2019-11730, CVE-2019-11709.
-- Mike Hommey <glandium@debian.org> Wed, 10 Jul 2019 07:13:23 +0900
firefox-esr (60.7.2esr-1) unstable; urgency=medium
* New upstream release.
* Fixes for mfsa219-19, also known as CVE-2019-11708.
* Fixes for mfsa2019-19, also known as CVE-2019-11708.
-- Mike Hommey <glandium@debian.org> Thu, 20 Jun 2019 10:48:50 -0700
......
......@@ -1216,10 +1216,8 @@ bool nsGlobalWindowOuter::WouldReuseInnerWindow(nsIDocument* aNewDocument) {
return true;
}
bool equal;
if (NS_SUCCEEDED(mDoc->NodePrincipal()->Equals(aNewDocument->NodePrincipal(),
&equal)) &&
equal) {
if (BasePrincipal::Cast(mDoc->NodePrincipal())
->FastEqualsConsideringDomain(aNewDocument->NodePrincipal())) {
// The origin is the same.
return true;
}
......
......@@ -131,6 +131,11 @@ void WebGLBuffer::BufferData(GLenum target, size_t size, const void* data,
MOZ_ASSERT(error == LOCAL_GL_OUT_OF_MEMORY);
mContext->ErrorOutOfMemory("%s: Error from driver: 0x%04x", funcName,
error);
// Truncate
mByteLength = 0;
mFetchInvalidator.InvalidateCaches();
mIndexCache = nullptr;
return;
}
} else {
......
......@@ -20,6 +20,7 @@
#include "mozilla/gfx/2D.h"
#include "mozilla/LinkedList.h"
#include "mozilla/UniquePtr.h"
#include "mozilla/WeakPtr.h"
#include "nsCycleCollectionNoteChild.h"
#include "nsICanvasRenderingContextInternal.h"
#include "nsLayoutUtils.h"
......@@ -278,7 +279,8 @@ class AvailabilityRunnable final : public Runnable {
class WebGLContext : public nsICanvasRenderingContextInternal,
public nsSupportsWeakReference,
public WebGLContextUnchecked,
public nsWrapperCache {
public nsWrapperCache,
public SupportsWeakPtr<WebGLContext> {
friend class ScopedDrawCallWrapper;
friend class ScopedDrawHelper;
friend class ScopedDrawWithTransformFeedback;
......@@ -330,9 +332,9 @@ class WebGLContext : public nsICanvasRenderingContextInternal,
public:
NS_DECL_CYCLE_COLLECTING_ISUPPORTS
NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS_AMBIGUOUS(
WebGLContext, nsICanvasRenderingContextInternal)
MOZ_DECLARE_WEAKREFERENCE_TYPENAME(WebGLContext)
virtual JSObject* WrapObject(JSContext* cx,
JS::Handle<JSObject*> givenProto) override = 0;
......
......@@ -68,8 +68,10 @@ void WebGLExtensionCompressedTextureASTC::GetSupportedProfiles(
dom::Nullable<nsTArray<nsString> >& retval) const {
retval.SetNull();
if (mIsLost) {
mContext->ErrorInvalidOperation("%s: Extension is lost.",
"drawElementsInstancedANGLE");
if (mContext) {
mContext->ErrorInvalidOperation("%s: Extension is lost.",
"drawElementsInstancedANGLE");
}
return;
}
......
......@@ -22,15 +22,7 @@ WebGLExtensionDebugShaders::~WebGLExtensionDebugShaders() {}
void WebGLExtensionDebugShaders::GetTranslatedShaderSource(
const WebGLShader& shader, nsAString& retval) const {
retval.SetIsVoid(true);
if (mIsLost) {
mContext->ErrorInvalidOperation("%s: Extension is lost.",
"getTranslatedShaderSource");
return;
}
if (mContext->IsContextLost()) return;
if (mIsLost || !mContext) return;
if (!mContext->ValidateObject("getShaderTranslatedSource: shader", shader))
return;
......
......@@ -34,7 +34,7 @@ already_AddRefed<WebGLQuery> WebGLExtensionDisjointTimerQuery::CreateQueryEXT()
void WebGLExtensionDisjointTimerQuery::DeleteQueryEXT(WebGLQuery* query) const {
const char funcName[] = "deleteQueryEXT";
if (mIsLost) return;
if (mIsLost || !mContext) return;
mContext->DeleteQuery(query, funcName);
}
......@@ -42,7 +42,7 @@ void WebGLExtensionDisjointTimerQuery::DeleteQueryEXT(WebGLQuery* query) const {
bool WebGLExtensionDisjointTimerQuery::IsQueryEXT(
const WebGLQuery* query) const {
const char funcName[] = "isQueryEXT";
if (mIsLost) return false;
if (mIsLost || !mContext) return false;
return mContext->IsQuery(query, funcName);
}
......@@ -50,14 +50,14 @@ bool WebGLExtensionDisjointTimerQuery::IsQueryEXT(
void WebGLExtensionDisjointTimerQuery::BeginQueryEXT(GLenum target,
WebGLQuery& query) const {
const char funcName[] = "beginQueryEXT";
if (mIsLost) return;
if (mIsLost || !mContext) return;
mContext->BeginQuery(target, query, funcName);
}
void WebGLExtensionDisjointTimerQuery::EndQueryEXT(GLenum target) const {
const char funcName[] = "endQueryEXT";
if (mIsLost) return;
if (mIsLost || !mContext) return;
mContext->EndQuery(target, funcName);
}
......@@ -65,7 +65,7 @@ void WebGLExtensionDisjointTimerQuery::EndQueryEXT(GLenum target) const {
void WebGLExtensionDisjointTimerQuery::QueryCounterEXT(WebGLQuery& query,
GLenum target) const {
const char funcName[] = "queryCounterEXT";
if (mIsLost) return;
if (mIsLost || !mContext) return;
if (!mContext->ValidateObject(funcName, query)) return;
......@@ -77,7 +77,7 @@ void WebGLExtensionDisjointTimerQuery::GetQueryEXT(
JS::MutableHandleValue retval) const {
const char funcName[] = "getQueryEXT";
retval.setNull();
if (mIsLost) return;
if (mIsLost || !mContext) return;
mContext->GetQuery(cx, target, pname, retval, funcName);
}
......@@ -87,7 +87,7 @@ void WebGLExtensionDisjointTimerQuery::GetQueryObjectEXT(
JS::MutableHandleValue retval) const {
const char funcName[] = "getQueryObjectEXT";
retval.setNull();
if (mIsLost) return;
if (mIsLost || !mContext) return;
mContext->GetQueryParameter(cx, query, pname, retval, funcName);
}
......
......@@ -27,7 +27,9 @@ WebGLExtensionDrawBuffers::~WebGLExtensionDrawBuffers() {}
void WebGLExtensionDrawBuffers::DrawBuffersWEBGL(
const dom::Sequence<GLenum>& buffers) {
if (mIsLost) {
mContext->ErrorInvalidOperation("drawBuffersWEBGL: Extension is lost.");
if (mContext) {
mContext->ErrorInvalidOperation("drawBuffersWEBGL: Extension is lost.");
}
return;
}
......
......@@ -22,8 +22,10 @@ WebGLExtensionInstancedArrays::~WebGLExtensionInstancedArrays() {}
void WebGLExtensionInstancedArrays::DrawArraysInstancedANGLE(
GLenum mode, GLint first, GLsizei count, GLsizei primcount) {
if (mIsLost) {
mContext->ErrorInvalidOperation("%s: Extension is lost.",
"drawArraysInstancedANGLE");
if (mContext) {
mContext->ErrorInvalidOperation("%s: Extension is lost.",
"drawArraysInstancedANGLE");
}
return;
}
......@@ -34,8 +36,10 @@ void WebGLExtensionInstancedArrays::DrawElementsInstancedANGLE(
GLenum mode, GLsizei count, GLenum type, WebGLintptr offset,
GLsizei primcount) {
if (mIsLost) {
mContext->ErrorInvalidOperation("%s: Extension is lost.",
"drawElementsInstancedANGLE");
if (mContext) {
mContext->ErrorInvalidOperation("%s: Extension is lost.",
"drawElementsInstancedANGLE");
}
return;
}
......@@ -45,8 +49,10 @@ void WebGLExtensionInstancedArrays::DrawElementsInstancedANGLE(
void WebGLExtensionInstancedArrays::VertexAttribDivisorANGLE(GLuint index,
GLuint divisor) {
if (mIsLost) {
mContext->ErrorInvalidOperation("%s: Extension is lost.",
"vertexAttribDivisorANGLE");
if (mContext) {
mContext->ErrorInvalidOperation("%s: Extension is lost.",
"vertexAttribDivisorANGLE");
}
return;
}
......
......@@ -15,9 +15,15 @@ WebGLExtensionLoseContext::WebGLExtensionLoseContext(WebGLContext* webgl)
WebGLExtensionLoseContext::~WebGLExtensionLoseContext() {}
void WebGLExtensionLoseContext::LoseContext() { mContext->LoseContext(); }
void WebGLExtensionLoseContext::RestoreContext() { mContext->RestoreContext(); }
void WebGLExtensionLoseContext::LoseContext() {
if (!mContext) return;
mContext->LoseContext();
}
void WebGLExtensionLoseContext::RestoreContext() {
if (!mContext) return;
mContext->RestoreContext();
}
IMPL_WEBGL_EXTENSION_GOOP(WebGLExtensionLoseContext, WEBGL_lose_context)
......
......@@ -20,6 +20,8 @@ WebGLExtensionMOZDebug::~WebGLExtensionMOZDebug() {}
void WebGLExtensionMOZDebug::GetParameter(JSContext* cx, GLenum pname,
JS::MutableHandle<JS::Value> retval,
ErrorResult& er) const {
if (mIsLost || !mContext) return;
const auto& gl = mContext->gl;
switch (pname) {
......
......@@ -20,26 +20,26 @@ WebGLExtensionVertexArray::~WebGLExtensionVertexArray() {}
already_AddRefed<WebGLVertexArray>
WebGLExtensionVertexArray::CreateVertexArrayOES() {
if (mIsLost) return nullptr;
if (mIsLost || !mContext) return nullptr;
return mContext->CreateVertexArray();
}
void WebGLExtensionVertexArray::DeleteVertexArrayOES(WebGLVertexArray* array) {
if (mIsLost) return;
if (mIsLost || !mContext) return;
mContext->DeleteVertexArray(array);
}
bool WebGLExtensionVertexArray::IsVertexArrayOES(
const WebGLVertexArray* array) {
if (mIsLost) return false;
if (mIsLost || !mContext) return false;
return mContext->IsVertexArray(array);
}
void WebGLExtensionVertexArray::BindVertexArrayOES(WebGLVertexArray* array) {
if (mIsLost) return;
if (mIsLost || !mContext) return;
mContext->BindVertexArray(array);
}
......
......@@ -6,8 +6,8 @@
#ifndef WEBGLOBJECTMODEL_H_
#define WEBGLOBJECTMODEL_H_
#include "mozilla/WeakPtr.h"
#include "nsCycleCollectionNoteChild.h"
#include "WebGLTypes.h"
namespace mozilla {
......@@ -23,7 +23,7 @@ class WebGLContext;
// as well as comparison with the current context.
class WebGLContextBoundObject {
public:
WebGLContext* const mContext;
const WeakPtr<WebGLContext> mContext;
private:
const uint32_t mContextGeneration;
......
......@@ -194,6 +194,16 @@ void WebGLRenderbuffer::RenderbufferStorage(const char* funcName,
if (error) {
const char* errorName = mContext->ErrorName(error);
mContext->GenerateWarning("%s generated error %s", funcName, errorName);
if (error != LOCAL_GL_OUT_OF_MEMORY) {
// Truncate.
mSamples = 0;
mFormat = nullptr;
mWidth = 0;
mHeight = 0;
mImageDataStatus = WebGLImageDataStatus::NoImageData;
InvalidateStatusOfAttachedFBs(funcName);
}
return;
}
......
......@@ -44,8 +44,6 @@ void WebGLTexture::ImageInfo::Clear(const char* funcName) {
}
void WebGLTexture::ImageInfo::Set(const char* funcName, const ImageInfo& a) {
MOZ_ASSERT(a.IsDefined());
Mutable(mFormat) = a.mFormat;
Mutable(mWidth) = a.mWidth;
Mutable(mHeight) = a.mHeight;
......@@ -1167,6 +1165,12 @@ void WebGLTexture::TexParameter(TexTarget texTarget, GLenum pname,
mContext->gl->fTexParameterf(texTarget.get(), pname, clamped.f);
}
void WebGLTexture::Truncate() {
for (auto& cur : mImageInfoArr) {
SetImageInfo("OUT_OF_MEMORY", &cur, ImageInfo());
}
}
////////////////////////////////////////////////////////////////////////////////
NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE_0(WebGLTexture)
......
......@@ -117,6 +117,7 @@ class WebGLTexture final : public nsWrapperCache,
uint32_t level,
const ImageInfo& newInfo);
public:
static const ImageInfo kUndefined;
......@@ -389,6 +390,7 @@ class WebGLTexture final : public nsWrapperCache,
const char** const out_reason, bool* const out_initFailed);
bool IsMipmapCubeComplete() const;
void Truncate();
bool IsCubeMap() const { return (mTarget == LOCAL_GL_TEXTURE_CUBE_MAP); }
......
......@@ -1148,6 +1148,7 @@ void WebGLTexture::TexStorage(const char* funcName, TexTarget target,
if (error == LOCAL_GL_OUT_OF_MEMORY) {
mContext->ErrorOutOfMemory(
"%s: Ran out of memory during texture allocation.", funcName);
Truncate();
return;
}
if (error) {
......@@ -1277,6 +1278,7 @@ void WebGLTexture::TexImage(const char* funcName, TexImageTarget target,
if (glError == LOCAL_GL_OUT_OF_MEMORY) {
mContext->ErrorOutOfMemory("%s: Driver ran out of memory during upload.",
funcName);
Truncate();
return;
}
......@@ -1364,6 +1366,7 @@ void WebGLTexture::TexSubImage(const char* funcName, TexImageTarget target,
if (glError == LOCAL_GL_OUT_OF_MEMORY) {
mContext->ErrorOutOfMemory("%s: Driver ran out of memory during upload.",
funcName);
Truncate();
return;
}
......@@ -1478,6 +1481,7 @@ void WebGLTexture::CompressedTexImage(const char* funcName,
if (error == LOCAL_GL_OUT_OF_MEMORY) {
mContext->ErrorOutOfMemory("%s: Ran out of memory during upload.",
funcName);
Truncate();
return;
}
if (error) {
......@@ -1632,6 +1636,7 @@ void WebGLTexture::CompressedTexSubImage(
if (error == LOCAL_GL_OUT_OF_MEMORY) {
mContext->ErrorOutOfMemory("%s: Ran out of memory during upload.",
funcName);
Truncate();
return;
}
if (error) {
......@@ -1996,7 +2001,7 @@ bool WebGLTexture::ValidateCopyTexImageForFeedback(const char* funcName,
}
static bool DoCopyTexOrSubImage(WebGLContext* webgl, const char* funcName,
bool isSubImage, const WebGLTexture* tex,
bool isSubImage, WebGLTexture* tex,
TexImageTarget target, GLint level,
GLint xWithinSrc, GLint yWithinSrc,
uint32_t srcTotalWidth, uint32_t srcTotalHeight,
......@@ -2073,6 +2078,7 @@ static bool DoCopyTexOrSubImage(WebGLContext* webgl, const char* funcName,
if (error == LOCAL_GL_OUT_OF_MEMORY) {
webgl->ErrorOutOfMemory("%s: Ran out of memory during texture copy.",
funcName);
tex->Truncate();
return false;
}
......
......@@ -2458,9 +2458,14 @@ mozilla::ipc::IPCResult BackgroundVersionChangeTransactionChild::RecvComplete(
database->Close();
}
RefPtr<IDBOpenDBRequest> request = mOpenDBRequest;
MOZ_ASSERT(request);
mTransaction->FireCompleteOrAbortEvents(aResult);
mOpenDBRequest->SetTransaction(nullptr);
request->SetTransaction(nullptr);
request = nullptr;
mOpenDBRequest = nullptr;
NoteComplete();
......
......@@ -107,7 +107,7 @@ void BaseMediaResource::SetLoadInBackground(bool aLoadInBackground) {
NS_WARNING("Null owner in MediaResource::SetLoadInBackground()");
return;
}
dom::HTMLMediaElement* element = owner->GetMediaElement();
RefPtr<dom::HTMLMediaElement> element = owner->GetMediaElement();
if (!element) {
NS_WARNING("Null element in MediaResource::SetLoadInBackground()");
return;
......
......@@ -628,7 +628,7 @@ nsPluginStreamListenerPeer::AsyncOnChannelRedirect(
return NS_ERROR_FAILURE;
}
// Don't allow cross-origin 307 POST redirects.
// Don't allow cross-origin 307/308 POST redirects.
nsCOMPtr<nsIHttpChannel> oldHttpChannel(do_QueryInterface(oldChannel));
if (oldHttpChannel) {
uint32_t responseStatus;
......@@ -636,7 +636,7 @@ nsPluginStreamListenerPeer::AsyncOnChannelRedirect(
if (NS_FAILED(rv)) {
return rv;
}
if (responseStatus == 307) {
if (responseStatus == 307 || responseStatus == 308) {
nsAutoCString method;
rv = oldHttpChannel->GetRequestMethod(method);
if (NS_FAILED(rv)) {
......
#define ANGLE_COMMIT_HASH "f474fbb607e0"
#define ANGLE_COMMIT_HASH "ed76a1a5ec3e"
#define ANGLE_COMMIT_HASH_SIZE 12
#define ANGLE_COMMIT_DATE "2018-10-30 14:29:30 -0700"
#define ANGLE_COMMIT_DATE "2019-06-24 20:02:02 -0700"
......@@ -19,6 +19,10 @@
#include <sstream>
#include <vector>
#ifndef constexpr14
#define constexpr14
#endif
// A helper class to disallow copy and assignment operators
namespace angle
{
......
......@@ -1362,7 +1362,10 @@ void State::detachBuffer(const Context *context, GLuint bufferName)
curTransformFeedback->detachBuffer(context, bufferName);
}
getVertexArray()->detachBuffer(context, bufferName);
if (getVertexArray()->detachBuffer(context, bufferName))
{
mDirtyObjects.set(DIRTY_OBJECT_VERTEX_ARRAY);
}
}
void State::setEnableVertexAttribArray(unsigned int attribNum, bool enabled)
......
......@@ -72,20 +72,28 @@ const std::string &VertexArray::getLabel() const
return mState.mLabel;
}
void VertexArray::detachBuffer(const Context *context, GLuint bufferName)
bool VertexArray::detachBuffer(const Context *context, GLuint bufferName)
{
for (auto &binding : mState.mVertexBindings)
bool anyBufferDetached = false;
for (size_t bindingIndex = 0; bindingIndex < gl::MAX_VERTEX_ATTRIB_BINDINGS; ++bindingIndex)
{
VertexBinding &binding = mState.mVertexBindings[bindingIndex];
if (binding.getBuffer().id() == bufferName)
{
binding.setBuffer(context, nullptr);
anyBufferDetached = true;
}
}
if (mState.mElementArrayBuffer.id() == bufferName)
{
mState.mElementArrayBuffer.set(context, nullptr);
mDirtyBits.set(DIRTY_BIT_ELEMENT_ARRAY_BUFFER);
anyBufferDetached = true;
}
return anyBufferDetached;
}
const VertexAttribute &VertexArray::getVertexAttribute(size_t attribIndex) const
......
......@@ -91,7 +91,9 @@ class VertexArray final : public LabeledObject
return mState.getBindingFromAttribIndex(attribIndex);
}
void detachBuffer(const Context *context, GLuint bufferName);
// Returns true if the function finds and detaches a bound buffer.
bool detachBuffer(const Context *context, GLuint bufferName);
void setVertexAttribDivisor(const Context *context, size_t index, GLuint divisor);
void enableAttribute(size_t attribIndex, bool enabledState);
void setVertexAttribPointer(const Context *context,
......
......@@ -37,7 +37,23 @@ enum
CONSTANT_VERTEX_BUFFER_SIZE = 4096
};
// Warning: you should ensure binding really matches attrib.bindingIndex before using this function.
// Warning: ensure the binding matches attrib.bindingIndex before using these functions.
int64_t GetMaxAttributeByteOffsetForDraw(const gl::VertexAttribute &attrib,
const gl::VertexBinding &binding,
int64_t elementCount)
{
CheckedNumeric<int64_t> stride = ComputeVertexAttributeStride(attrib, binding);
CheckedNumeric<int64_t> offset = ComputeVertexAttributeOffset(attrib, binding);
CheckedNumeric<int64_t> size = ComputeVertexAttributeTypeSize(attrib);
ASSERT(elementCount > 0);
CheckedNumeric<int64_t> result =
stride * (CheckedNumeric<int64_t>(elementCount) - 1) + size + offset;
return result.ValueOrDefault(std::numeric_limits<int64_t>::max());
}
// Warning: ensure the binding matches attrib.bindingIndex before using these functions.
int ElementsInBuffer(const gl::VertexAttribute &attrib,
const gl::VertexBinding &binding,
unsigned int size)
......@@ -478,10 +494,11 @@ gl::Error VertexDataManager::reserveSpaceForAttrib(const TranslatedAttribute &tr
GLint firstVertexIndex = binding.getDivisor() > 0 ? 0 : start;
int64_t maxVertexCount =
static_cast<int64_t>(firstVertexIndex) + static_cast<int64_t>(totalCount);
int elementsInBuffer =
ElementsInBuffer(attrib, binding, static_cast<unsigned int>(bufferD3D->getSize()));
if (maxVertexCount > elementsInBuffer)
int64_t maxByte = GetMaxAttributeByteOffsetForDraw(attrib, binding, maxVertexCount);
ASSERT(bufferD3D->getSize() <= static_cast<size_t>(std::numeric_limits<int64_t>::max()));
if (maxByte > static_cast<int64_t>(bufferD3D->getSize()))
{
return gl::InvalidOperation() << "Vertex buffer is not big enough for the draw call.";
}
......
......@@ -23,6 +23,11 @@ constexpr FLOAT kDebugColorInitClearValue[4] = {0.3f, 0.5f, 0.7f, 0.5f};
constexpr FLOAT kDebugDepthInitValue = 0.2f;
constexpr UINT8 kDebugStencilInitValue = 3;
// A hard limit on buffer size. This works around a problem in the NVIDIA drivers where buffer sizes
// close to MAX_UINT would give undefined results. The limit of MAX_UINT/2 should be generous enough
// for almost any demanding application.
constexpr UINT kMaximumBufferSizeHardLimit = std::numeric_limits<UINT>::max() >> 1;
uint64_t ComputeMippedMemoryUsage(unsigned int width,
unsigned int height,
unsigned int depth,
......@@ -109,6 +114,12 @@ HRESULT CreateResource(ID3D11Device *device,
const D3D11_SUBRESOURCE_DATA *initData,
ID3D11Buffer **buffer)
{
// Force buffers to be limited to a fixed max size.
if (desc->ByteWidth > kMaximumBufferSizeHardLimit)
{
return E_OUTOFMEMORY;
}
return device->CreateBuffer(desc, initData, buffer);
}
......
......@@ -77,6 +77,11 @@ enum
MAX_TEXTURE_IMAGE_UNITS_VTF_SM3 = 4
};
// A hard limit on buffer size. This works around a problem in the NVIDIA drivers where buffer sizes
// close to MAX_UINT would give undefined results. The limit of MAX_UINT/2 should be generous enough
// for almost any demanding application.
constexpr UINT kMaximumBufferSizeHardLimit = std::numeric_limits<UINT>::max() >> 1;
Renderer9::Renderer9(egl::Display *display) : RendererD3D(display), mStateManager(this)
{
mD3d9Module = nullptr;
......@@ -880,6 +885,12 @@ HRESULT Renderer9::createVertexBuffer(UINT Length,
DWORD Usage,
IDirect3DVertexBuffer9 **ppVertexBuffer)
{
// Force buffers to be limited to a fixed max size.
if (Length > kMaximumBufferSizeHardLimit)
{
return E_OUTOFMEMORY;
}
D3DPOOL Pool = getBufferPool(Usage);
return mDevice->CreateVertexBuffer(Length, Usage, 0, Pool, ppVertexBuffer, nullptr);
}
......@@ -894,6 +905,12 @@ HRESULT Renderer9::createIndexBuffer(UINT Length,
D3DFORMAT Format,
IDirect3DIndexBuffer9 **ppIndexBuffer)