Fix overflow in gl::ValidateES2TexImageParametersBase Bug: chromium:1222516 Change-Id: I532dc6e1c80c442af2c35d1facc262c48222def3 Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/2978251 Reviewed-by: Jamie Madill <jmadill@chromium.org> Reviewed-by: Geoff Lang <geofflang@chromium.org> Commit-Queue: Alexey Knyazev <lexa.knyazev@gmail.com>

diff --git a/src/libANGLE/validationES2.cpp b/src/libANGLE/validationES2.cpp
index d635fe9..5b63456 100644
--- a/src/libANGLE/validationES2.cpp
+++ b/src/libANGLE/validationES2.cpp

@@ -964,8 +964,8 @@
         return false;
     }
 
-    if (xoffset < 0 || std::numeric_limits<GLsizei>::max() - xoffset < width ||
-        std::numeric_limits<GLsizei>::max() - yoffset < height)
+    if ((xoffset < 0 || std::numeric_limits<GLsizei>::max() - xoffset < width) ||
+        (yoffset < 0 || std::numeric_limits<GLsizei>::max() - yoffset < height))
     {
         context->validationError(GL_INVALID_VALUE, kResourceMaxTextureSize);
         return false;

diff --git a/src/tests/gl_tests/TextureTest.cpp b/src/tests/gl_tests/TextureTest.cpp
index 1976326..ce5d9e3 100644
--- a/src/tests/gl_tests/TextureTest.cpp
+++ b/src/tests/gl_tests/TextureTest.cpp

@@ -3007,6 +3007,22 @@
     EXPECT_GL_NO_ERROR();
 }
 
+// Regression test for https://crbug.com/1222516 to prevent integer overflow during validation.
+TEST_P(Texture2DTest, SubImageValidationOverflow)
+{
+    glActiveTexture(GL_TEXTURE0);
+    glBindTexture(GL_TEXTURE_2D, mTexture2D);
+
+    glTexImage2D(GL_TEXTURE_2D, 0, GL_RGBA, 8, 8, 0, GL_RGBA, GL_UNSIGNED_BYTE, nullptr);
+    EXPECT_GL_NO_ERROR();
+
+    glTexSubImage2D(GL_TEXTURE_2D, 0, -4, 0, 2147483647, 1, GL_RGBA, GL_UNSIGNED_BYTE, nullptr);
+    EXPECT_GL_ERROR(GL_INVALID_VALUE);
+
+    glTexSubImage2D(GL_TEXTURE_2D, 0, 0, -4, 1, 2147483647, GL_RGBA, GL_UNSIGNED_BYTE, nullptr);
+    EXPECT_GL_ERROR(GL_INVALID_VALUE);
+}
+
 void FillLevel(GLint level,
                GLuint width,
                GLuint height,