Guard against some arithmetic overflows
Fixes locations that explicitly have TODOs about
checking for overflow. Also fixup other locations found while
searching the code for arithmetic operations.
Fixes: dawn:830
Change-Id: I4ef6b97a9cde14439e573a1da8d569ab985efc53
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/55605
Reviewed-by: Jiawei Shao <jiawei.shao@intel.com>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Austin Eng <enga@chromium.org>
diff --git a/src/dawn_native/vulkan/UtilsVulkan.cpp b/src/dawn_native/vulkan/UtilsVulkan.cpp
index 7375377..c6952d4 100644
--- a/src/dawn_native/vulkan/UtilsVulkan.cpp
+++ b/src/dawn_native/vulkan/UtilsVulkan.cpp
@@ -83,11 +83,13 @@
Extent3D validTextureCopyExtent = copySize;
const TextureBase* texture = textureCopy.texture.Get();
Extent3D virtualSizeAtLevel = texture->GetMipLevelVirtualSize(textureCopy.mipLevel);
- if (textureCopy.origin.x + copySize.width > virtualSizeAtLevel.width) {
+ ASSERT(textureCopy.origin.x <= virtualSizeAtLevel.width);
+ ASSERT(textureCopy.origin.y <= virtualSizeAtLevel.height);
+ if (copySize.width > virtualSizeAtLevel.width - textureCopy.origin.x) {
ASSERT(texture->GetFormat().isCompressed);
validTextureCopyExtent.width = virtualSizeAtLevel.width - textureCopy.origin.x;
}
- if (textureCopy.origin.y + copySize.height > virtualSizeAtLevel.height) {
+ if (copySize.height > virtualSizeAtLevel.height - textureCopy.origin.y) {
ASSERT(texture->GetFormat().isCompressed);
validTextureCopyExtent.height = virtualSizeAtLevel.height - textureCopy.origin.y;
}
