webkitgtk/backport-CVE-2024-4558.patch

From 9d7ec80f78039e6646fcfc455ab4c05aa393f34c Mon Sep 17 00:00:00 2001
From: Kimmo Kinnunen <kkinnunen@apple.com>
Date: Tue, 14 May 2024 22:37:29 -0700
Subject: [PATCH] Cherry-pick ANGLE.
 https://bugs.webkit.org/show_bug.cgi?id=274165

https://bugs.webkit.org/show_bug.cgi?id=274165
rdar://127764804

Reviewed by Dan Glastonbury.

Cherry-pick ANGLE upstream commit 1bb1ee061fe0bce322fb93b447a72e72c993a1f2:

GL: Sync unpack state for glCompressedTexSubImage3D

Unpack state is supposed to be ignored for compressed tex image calls
but some drivers use it anyways and read incorrect data.

Texture3DTestES3.PixelUnpackStateTexSubImage covers this case.

Bug: chromium:337766133
Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5498735
Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
Canonical link: https://commits.webkit.org/274313.341@webkitglib/2.44
---
 Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
index c659aacb9e48..f96eefe53f11 100644
--- a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
+++ b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
@@ -664,6 +664,7 @@ angle::Result TextureGL::setCompressedSubImage(const gl::Context *context,
         nativegl::GetCompressedSubTexImageFormat(functions, features, format);
 
     stateManager->bindTexture(getType(), mTextureID);
+    ANGLE_TRY(stateManager->setPixelUnpackState(context, unpack));
     if (nativegl::UseTexImage2D(getType()))
     {
         ASSERT(area.z == 0 && area.depth == 1);
fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780 2024-08-26 02:09:02 +00:00			`From 9d7ec80f78039e6646fcfc455ab4c05aa393f34c Mon Sep 17 00:00:00 2001`
			`From: Kimmo Kinnunen <kkinnunen@apple.com>`
			`Date: Tue, 14 May 2024 22:37:29 -0700`
			`Subject: [PATCH] Cherry-pick ANGLE.`
			`https://bugs.webkit.org/show_bug.cgi?id=274165`

			`https://bugs.webkit.org/show_bug.cgi?id=274165`
			`rdar://127764804`

			`Reviewed by Dan Glastonbury.`

			`Cherry-pick ANGLE upstream commit 1bb1ee061fe0bce322fb93b447a72e72c993a1f2:`

			`GL: Sync unpack state for glCompressedTexSubImage3D`

			`Unpack state is supposed to be ignored for compressed tex image calls`
			`but some drivers use it anyways and read incorrect data.`

			`Texture3DTestES3.PixelUnpackStateTexSubImage covers this case.`

			`Bug: chromium:337766133`
			`Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22`
			`Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5498735`
			`Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>`
			`Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>`
			`Canonical link: https://commits.webkit.org/274313.341@webkitglib/2.44`
			`---`
			`Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp \| 1 +`
			`1 file changed, 1 insertion(+)`

			`diff --git a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp`
			`index c659aacb9e48..f96eefe53f11 100644`
			`--- a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp`
			`+++ b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp`
			`@@ -664,6 +664,7 @@ angle::Result TextureGL::setCompressedSubImage(const gl::Context *context,`
			`nativegl::GetCompressedSubTexImageFormat(functions, features, format);`

			`stateManager->bindTexture(getType(), mTextureID);`
			`+ ANGLE_TRY(stateManager->setPixelUnpackState(context, unpack));`
			`if (nativegl::UseTexImage2D(getType()))`
			`{`
			`ASSERT(area.z == 0 && area.depth == 1);`