Title: [287807] trunk/Source/WebCore
- Revision
- 287807
- Author
- bfulg...@apple.com
- Date
- 2022-01-07 20:09:48 -0800 (Fri, 07 Jan 2022)
Log Message
[Hardening] Improve multi draw offset validation
https://bugs.webkit.org/show_bug.cgi?id=234966
<rdar://problem/86814830>
Reviewed by Darin Adler.
Incorporate draw count into validation of the offset.
* html/canvas/WebGLMultiDraw.cpp:
(WebCore::WebGLMultiDraw::validateOffset):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (287806 => 287807)
--- trunk/Source/WebCore/ChangeLog 2022-01-08 03:42:42 UTC (rev 287806)
+++ trunk/Source/WebCore/ChangeLog 2022-01-08 04:09:48 UTC (rev 287807)
@@ -1,3 +1,16 @@
+2022-01-07 Brent Fulgham <bfulg...@apple.com>
+
+ [Hardening] Improve multi draw offset validation
+ https://bugs.webkit.org/show_bug.cgi?id=234966
+ <rdar://problem/86814830>
+
+ Reviewed by Darin Adler.
+
+ Incorporate draw count into validation of the offset.
+
+ * html/canvas/WebGLMultiDraw.cpp:
+ (WebCore::WebGLMultiDraw::validateOffset):
+
2022-01-07 Myles C. Maxfield <mmaxfi...@apple.com>
[GPU Process] Can't getImageData on canvas larger than 4096x4096
Modified: trunk/Source/WebCore/html/canvas/WebGLMultiDraw.cpp (287806 => 287807)
--- trunk/Source/WebCore/html/canvas/WebGLMultiDraw.cpp 2022-01-08 03:42:42 UTC (rev 287806)
+++ trunk/Source/WebCore/html/canvas/WebGLMultiDraw.cpp 2022-01-08 04:09:48 UTC (rev 287807)
@@ -135,7 +135,7 @@
return false;
}
- if (offset >= static_cast<GCGLuint>(size)) {
+ if (offset >= static_cast<GCGLuint>(size - drawcount)) {
m_context->synthesizeGLError(GraphicsContextGL::INVALID_OPERATION, functionName, outOfBoundsDescription);
return false;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
