Diff
Modified: branches/safari-607-branch/LayoutTests/ChangeLog (243583 => 243584)
--- branches/safari-607-branch/LayoutTests/ChangeLog 2019-03-27 23:44:09 UTC (rev 243583)
+++ branches/safari-607-branch/LayoutTests/ChangeLog 2019-03-27 23:44:12 UTC (rev 243584)
@@ -1,5 +1,47 @@
2019-03-27 Alan Coon <alanc...@apple.com>
+ Cherry-pick r243506. rdar://problem/49307987
+
+ vertexAttribPointer must restrict offset parameter
+ https://bugs.webkit.org/show_bug.cgi?id=196261
+ <rdar://problem/48458086>
+
+ Reviewed by Antoine Quint.
+
+ Source/WebCore:
+
+ This WebGL function should fail if the offset parameter is
+ not within [0, max 32-bit int].
+
+ Test: fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html
+
+ * html/canvas/WebGLRenderingContextBase.cpp:
+ (WebCore::WebGLRenderingContextBase::vertexAttribPointer):
+
+ LayoutTests:
+
+ Add a test where the offset parameter is out of bounds.
+
+ * fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt: Added.
+ * fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243506 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-03-26 Dean Jackson <d...@apple.com>
+
+ vertexAttribPointer must restrict offset parameter
+ https://bugs.webkit.org/show_bug.cgi?id=196261
+ <rdar://problem/48458086>
+
+ Reviewed by Antoine Quint.
+
+ Add a test where the offset parameter is out of bounds.
+
+ * fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt: Added.
+ * fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html: Added.
+
+2019-03-27 Alan Coon <alanc...@apple.com>
+
Cherry-pick r243331. rdar://problem/49308068
Do not insert the first-letter anonymous container until after we've constructed the first-letter renderer.
Added: branches/safari-607-branch/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt (0 => 243584)
--- branches/safari-607-branch/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt (rev 0)
+++ branches/safari-607-branch/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt 2019-03-27 23:44:12 UTC (rev 243584)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 49: WebGL: INVALID_VALUE: vertexAttribPointer: bad offset
+CONSOLE MESSAGE: line 56: WebGL: INVALID_OPERATION: drawArrays: attempt to access out of bounds arrays
+PASS: vertexAttribPointer should have an error.
+
Added: branches/safari-607-branch/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html (0 => 243584)
--- branches/safari-607-branch/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html (rev 0)
+++ branches/safari-607-branch/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html 2019-03-27 23:44:12 UTC (rev 243584)
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+<script id="vshader" type="x-shader/x-vertex">
+attribute vec4 a1;
+void main () {
+gl_Position = a1;
+}
+</script>
+
+<script id="fshader" type="x-shader/x-fragment">
+#ifdef GL_ES
+precision highp float;
+#endif
+void main() {
+gl_FragColor = vec4(1.0, 1.0, 1.0, 1.0);
+}
+</script>
+
+<body>
+<div id="results"></div>
+<canvas id="canvas"></canvas>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+const canvas = document.getElementById("canvas");
+const gl = canvas.getContext("webgl");
+
+const vShader = gl.createShader(gl.VERTEX_SHADER);
+gl.shaderSource(vShader, document.getElementById("vshader").text);
+gl.compileShader(vShader);
+
+const fShader = gl.createShader(gl.FRAGMENT_SHADER);
+gl.shaderSource(fShader, document.getElementById("fshader").text);
+gl.compileShader(fShader);
+
+const program = gl.createProgram();
+gl.attachShader(program, vShader);
+gl.attachShader(program, fShader);
+gl.linkProgram(program);
+gl.useProgram(program);
+
+const attribute = gl.getAttribLocation(program, "a1");
+gl.enableVertexAttribArray(attribute);
+
+const b1 = gl.createBuffer();
+gl.bindBuffer(gl.ARRAY_BUFFER, b1);
+
+gl.vertexAttribPointer(attribute, 1, gl.BYTE, true, 1, 0x00ffff00000000);
+document.getElementById("results").textContent = `${gl.getError() == gl.NO_ERROR ? "FAIL" : "PASS"}: vertexAttribPointer should have an error.`;
+
+const b2 = gl.createBuffer();
+gl.bindBuffer(gl.ARRAY_BUFFER, b2);
+gl.bufferData(gl.ARRAY_BUFFER, new Uint16Array(100), gl.DYNAMIC_DRAW);
+
+gl.drawArrays(gl.LINES, 100, 100);
+</script>
+</body>
+</html>
Modified: branches/safari-607-branch/Source/WebCore/ChangeLog (243583 => 243584)
--- branches/safari-607-branch/Source/WebCore/ChangeLog 2019-03-27 23:44:09 UTC (rev 243583)
+++ branches/safari-607-branch/Source/WebCore/ChangeLog 2019-03-27 23:44:12 UTC (rev 243584)
@@ -1,5 +1,50 @@
2019-03-27 Alan Coon <alanc...@apple.com>
+ Cherry-pick r243506. rdar://problem/49307987
+
+ vertexAttribPointer must restrict offset parameter
+ https://bugs.webkit.org/show_bug.cgi?id=196261
+ <rdar://problem/48458086>
+
+ Reviewed by Antoine Quint.
+
+ Source/WebCore:
+
+ This WebGL function should fail if the offset parameter is
+ not within [0, max 32-bit int].
+
+ Test: fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html
+
+ * html/canvas/WebGLRenderingContextBase.cpp:
+ (WebCore::WebGLRenderingContextBase::vertexAttribPointer):
+
+ LayoutTests:
+
+ Add a test where the offset parameter is out of bounds.
+
+ * fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt: Added.
+ * fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243506 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-03-26 Dean Jackson <d...@apple.com>
+
+ vertexAttribPointer must restrict offset parameter
+ https://bugs.webkit.org/show_bug.cgi?id=196261
+ <rdar://problem/48458086>
+
+ Reviewed by Antoine Quint.
+
+ This WebGL function should fail if the offset parameter is
+ not within [0, max 32-bit int].
+
+ Test: fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html
+
+ * html/canvas/WebGLRenderingContextBase.cpp:
+ (WebCore::WebGLRenderingContextBase::vertexAttribPointer):
+
+2019-03-27 Alan Coon <alanc...@apple.com>
+
Cherry-pick r243341. rdar://problem/49308013
Inband Text Track cues interspersed with Data cues can display out of order.
Modified: branches/safari-607-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (243583 => 243584)
--- branches/safari-607-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp 2019-03-27 23:44:09 UTC (rev 243583)
+++ branches/safari-607-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp 2019-03-27 23:44:12 UTC (rev 243584)
@@ -4985,10 +4985,18 @@
synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "index out of range");
return;
}
- if (size < 1 || size > 4 || stride < 0 || stride > 255 || offset < 0) {
- synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "bad size, stride or offset");
+ if (size < 1 || size > 4) {
+ synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "bad size");
return;
}
+ if (stride < 0 || stride > 255) {
+ synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "bad stride");
+ return;
+ }
+ if (offset < 0 || offset > std::numeric_limits<int32_t>::max()) {
+ synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "bad offset");
+ return;
+ }
if (!m_boundArrayBuffer) {
synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, "vertexAttribPointer", "no bound ARRAY_BUFFER");
return;
