Created attachment 577251 [details] [diff] [review]
I have no idea how I've been able to create 3 separate bugs in 3 lines of code. This was done in a rush for bug 635666.
The first bug is that (level <= mMaxLevelWithCustomImages) didn't account for the case where no image at all has been defined, so the array length is zero.
The second bug is that ImageInfoAt(level, 0) should have been ImageInfoAt(level, face).
The third bug is only theoretical: we weren't really checking for integer overflow. This couldn't really be exploited in practice though, as doing so would have required creating arrays larger than addressable space. But since this function is security-critical (see bug 635666) let's be future-proof.
I don't think we need to hide this as a security bug, there's no immediate vulnerability here.
Is this something QA can verify?
The only useful thing to do here would be to add a unit test; ping me after holidays if you think this is worth it (the likelihood of a regression around here seems low to me). This function is used by webgl.texImage2D so a unit test would do corresponding texImage2D calls hitting the cases that were improperly handled, as described in comment 0.
I defer to your judgement to whether or not a unit test is useful here. Without it, this fix will likely not be verifiable.