Skip to content
This repository was archived by the owner on Jul 9, 2025. It is now read-only.

Commit 79fa5ae

Browse files
committed
Bug 1427668 - Reject too-large MozFramebuffer requests. - r=daoshengmu
MozReview-Commit-ID: G2jqeb7QqhE
1 parent df8e8db commit 79fa5ae

3 files changed

Lines changed: 15 additions & 5 deletions

File tree

gfx/gl/GLContext.h

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3621,11 +3621,10 @@ class GLContext
36213621
return true;
36223622
}
36233623

3624-
36253624
public:
3626-
GLsizei MaxSamples() const {
3627-
return mMaxSamples;
3628-
}
3625+
auto MaxSamples() const { return uint32_t(mMaxSamples); }
3626+
auto MaxTextureSize() const { return uint32_t(mMaxTextureSize); }
3627+
auto MaxRenderbufferSize() const { return uint32_t(mMaxRenderbufferSize); }
36293628

36303629
#ifdef MOZ_GL_DEBUG
36313630
void CreatedProgram(GLContext* aOrigin, GLuint aName);

gfx/gl/GLScreenBuffer.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -817,7 +817,7 @@ DrawBuffer::Create(GLContext* const gl,
817817
if (formats.samples == 0)
818818
return false; // Can't create it.
819819

820-
MOZ_ASSERT(formats.samples <= gl->MaxSamples());
820+
MOZ_ASSERT(uint32_t(formats.samples) <= gl->MaxSamples());
821821
}
822822

823823
GLuint colorMSRB = 0;

gfx/gl/MozFramebuffer.cpp

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,12 +35,23 @@ MozFramebuffer::Create(GLContext* const gl, const gfx::IntSize& size,
3535
GLenum colorTarget;
3636
GLuint colorName;
3737
if (samples) {
38+
if (uint32_t(size.width) > gl->MaxRenderbufferSize() ||
39+
uint32_t(size.height) > gl->MaxRenderbufferSize() ||
40+
samples > gl->MaxSamples())
41+
{
42+
return nullptr;
43+
}
3844
colorTarget = LOCAL_GL_RENDERBUFFER;
3945
colorName = gl->CreateRenderbuffer();
4046
const ScopedBindRenderbuffer bindRB(gl, colorName);
4147
gl->fRenderbufferStorageMultisample(colorTarget, samples, LOCAL_GL_RGBA8,
4248
size.width, size.height);
4349
} else {
50+
if (uint32_t(size.width) > gl->MaxTextureSize() ||
51+
uint32_t(size.height) > gl->MaxTextureSize())
52+
{
53+
return nullptr;
54+
}
4455
colorTarget = LOCAL_GL_TEXTURE_2D;
4556
colorName = gl->CreateTexture();
4657
const ScopedBindTexture bindTex(gl, colorName);

0 commit comments

Comments
 (0)