Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Closed: Nov 2016
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment
Security: Incorrect validation of CopyBufferSubData in ANGLE
Reported by, Oct 31 2016 Back to list
Please provide a brief explanation of the security issue.

In src/third_party/angle/src/libGLESv2/entry_points_gles_3_0.cpp, in the
function CopyBufferSubData, there is incorrect validation of the
readOffset and writeOffset values:

        if (readOffset < 0 || writeOffset < 0 || size < 0 ||
            static_cast<unsigned int>(readOffset + size) > readBuffer->getSize() ||
            static_cast<unsigned int>(writeOffset + size) > writeBuffer->getSize())

readOffset and writeOffset are both type GLintptr, which is 64 bits long.
static_cast<unsigned int>(readOffset + size) can result in truncation if
readOffset + size exceeds 32 bits, causing the validation to pass
with invalid offsets.

This is the only validation of these arguments that occurs on the GPU process.

Note that this is only reachable via ES3, but this is now enabled by default
on Windows:

Chrome Version: 55.0.2873.0 + beta
Operating System: Windows

A demonstration of the incorrect validation is attached as
2.0 KB View Download
Comment 1 by, Oct 31 2016
Components: Internals>GPU>ANGLE
Labels: Security_Severity-Medium Security_Impact-Stable OS-All
Status: Assigned
zmo@, I wonder if you can take a look at this. Thanks!
Project Member Comment 2 by, Nov 1 2016
Labels: M-55
Project Member Comment 3 by, Nov 1 2016
Labels: Pri-1
Comment 4 by, Nov 1 2016
jmadill: can you take this?

FWIW: chrome's command buffer validation handles overflow checking, so it won't reach ANGLE. That said, it would be nice for ANGLE to beef up.
Status: Started
zmo@, could point me at where this validation happens in the command buffer?
Project Member Comment 7 by, Nov 2 2016
The following revision refers to this bug:

commit d2f0c74c8517365302fffcc2dc7b86778c2a6211
Author: Jamie Madill <>
Date: Wed Nov 02 14:34:41 2016

Use safe math in ValidateCopyBufferSubData.

This should fix any potential out of bounds reads/writes.

BUG= chromium:660854 

Change-Id: Iffa00e4551d7362115cbf023a09b1d0e15f724c8
Commit-Queue: Jamie Madill <>
Reviewed-by: Corentin Wallez <>


Labels: reward-topanel
Nice find! Thanks for the report.
Project Member Comment 9 by, Nov 4 2016
The following revision refers to this bug:

commit b42220eced72b0a5333ba28c6dd7ccf3a5178d40
Author: ynovikov <>
Date: Fri Nov 04 19:27:25 2016

Roll ANGLE eb66a6e..bbe9fb5



Cr-Commit-Position: refs/heads/master@{#429975}


Status: Fixed
Project Member Comment 11 by, Nov 11 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member Comment 12 by, Nov 13 2016
Labels: Merge-Request-55
Comment 13 by, Nov 13 2016
Labels: -Merge-Request-55 Merge-Review-55 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
I don't think this is necessary to merge. As zmo says in #4, command buffer should filter invalid GL calls from reaching ANGLE.

Mo can you confirm?
+awhalley@ (Security TPM).
zmo@, could you please reply to comment #14. Thank you.
Comment 17 by, Nov 14 2016
Yes, I agree with jmadill.  We don't have a security issue in Chrome as far as this bug is concerned, so no need to merge.
Also, FYI, merging this change should not be terribly difficult. It may not have a dependency, would have to check, but I don't think so.
If merge to M55 is NOT is needed, then please remove "Merge-Review-55" label. Thank you.
Comment 20 by, Nov 14 2016
Labels: -Merge-Review-55
Labels: -Hotlist-Merge-Review -reward-topanel reward-0
No reward for this one as it can't be triggered from Chrome, per comment 17
That's too bad - this bug would become triggered from Chrome once we complete issue 602688 and ship it on Windows. It would be unfortunate to discourage people from looking at bugs in ANGLE's validation that will become serious security issues in the future.
Labels: reward-topanel
From issue 602688 "while still performing security checks" :-)

Thanks for the heads up - I'll send this back to the panel to reconsider given that information.

Labels: Release-0-M55
Labels: -reward-topanel reward-unpaid reward-1000
On second thoughts, the panel decided to reward $1,000 for this bug, thanks!
That's amazing! Thank you!
Labels: -reward-0
Labels: -reward-unpaid reward-inprocess
Labels: CVE-2016-5221
Project Member Comment 32 by, Feb 17 2017
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Sign in to add a comment