Add size checks for glBufferData and glBufferSubData

Without the size checks it's possible for calls to glBufferData and glBufferSubData to read off the end of the Buffer object's data, which can cause page faults. Fix end-of-line characters for the "spec" files. (That's why every line of these files is changed.) Enhance our code emitter to properly handle bounds checks for possibly-null pointers.
author: Jack Palevich <jackpal@google.com> 2009-10-21 11:02:44 -0700
committer: Jack Palevich <jackpal@google.com> 2009-10-21 11:02:44 -0700
commit: c620a52b69a5f29563e06497e30877809f5d67a5 (patch)
tree: b0771555e1063ed4653cdfc454a209998a236bb0 /core/jni/android_opengl_GLES11.cpp
parent: d443ba4534b88fe6dfd3bd8f1dd1dc8451ed6734 (diff)
download: frameworks_base-c620a52b69a5f29563e06497e30877809f5d67a5.zip
frameworks_base-c620a52b69a5f29563e06497e30877809f5d67a5.tar.gz
frameworks_base-c620a52b69a5f29563e06497e30877809f5d67a5.tar.bz2
1 files changed, 12 insertions, 0 deletions
diff --git a/core/jni/android_opengl_GLES11.cpp b/core/jni/android_opengl_GLES11.cpp
index ed8dfc8..44213ed 100644
--- a/core/jni/android_opengl_GLES11.cpp
+++ b/core/jni/android_opengl_GLES11.cpp
@@ -144,6 +144,10 @@ android_glBufferData__IILjava_nio_Buffer_2I
 
     if (data_buf) {
         data = (GLvoid *)getPointer(_env, data_buf, &_array, &_remaining);
+        if (_remaining < size) {
+            _env->ThrowNew(IAEClass, "remaining() < size");
+            goto exit;
+        }
     }
     glBufferData(
         (GLenum)target,
@@ -151,6 +155,8 @@ android_glBufferData__IILjava_nio_Buffer_2I
         (GLvoid *)data,
         (GLenum)usage
     );
+
+exit:
     if (_array) {
         releasePointer(_env, _array, data, JNI_FALSE);
     }
@@ -165,12 +171,18 @@ android_glBufferSubData__IIILjava_nio_Buffer_2
     GLvoid *data = (GLvoid *) 0;
 
     data = (GLvoid *)getPointer(_env, data_buf, &_array, &_remaining);
+    if (_remaining < size) {
+        _env->ThrowNew(IAEClass, "remaining() < size");
+        goto exit;
+    }
     glBufferSubData(
         (GLenum)target,
         (GLintptr)offset,
         (GLsizeiptr)size,
         (GLvoid *)data
     );
+
+exit:
     if (_array) {
         releasePointer(_env, _array, data, JNI_FALSE);
     }
author	Jack Palevich <jackpal@google.com>	2009-10-21 11:02:44 -0700
committer	Jack Palevich <jackpal@google.com>	2009-10-21 11:02:44 -0700
commit	c620a52b69a5f29563e06497e30877809f5d67a5 (patch)
tree	b0771555e1063ed4653cdfc454a209998a236bb0 /core/jni/android_opengl_GLES11.cpp
parent	d443ba4534b88fe6dfd3bd8f1dd1dc8451ed6734 (diff)
download	frameworks_base-c620a52b69a5f29563e06497e30877809f5d67a5.zip frameworks_base-c620a52b69a5f29563e06497e30877809f5d67a5.tar.gz frameworks_base-c620a52b69a5f29563e06497e30877809f5d67a5.tar.bz2