Bug 1250710 - Offset reduces available bytes. - r=jrmuizel
MozReview-Commit-ID: 6tHKEQQ0jN8
--- a/dom/canvas/WebGLContextGL.cpp
+++ b/dom/canvas/WebGLContextGL.cpp
@@ -1690,26 +1690,31 @@ WebGL2Context::ReadPixels(GLint x, GLint
return;
}
if (offset < 0) {
ErrorInvalidValue("readPixels: offset must not be negative.");
return;
}
- const auto bytesAvailable = mBoundPixelPackBuffer->ByteLength();
+ const auto bufferLen = mBoundPixelPackBuffer->ByteLength();
+ const auto bytesAvailable = CheckedInt<intptr_t>(bufferLen) - offset;
+ if (!bytesAvailable.isValid() || bytesAvailable.value() < 0) {
+ ErrorInvalidOperation("readPixels: Offset too large for PBO.");
+ return;
+ }
uint8_t bytesPerPixel;
uint32_t startOffset;
uint32_t rowStride;
uint32_t readX, readY;
uint32_t writeX, writeY;
uint32_t rwWidth, rwHeight;
const webgl::FormatInfo* srcFormat;
- if (!ValidateReadPixels(x, y, width, height, format, type, bytesAvailable,
+ if (!ValidateReadPixels(x, y, width, height, format, type, bytesAvailable.value(),
&bytesPerPixel, &startOffset, &rowStride, &readX, &readY,
&writeX, &writeY, &rwWidth, &rwHeight, &srcFormat))
{
return;
}
{
const auto bytesPerType = webgl::BytesPerPixel({LOCAL_GL_RED, type});