[webkit-changes] [92413] trunk

Thu, 04 Aug 2011 14:37:09 -0700

Title: [92413] trunk
Revision
92413
Author
[email protected]
Date
2011-08-04 14:37:03 -0700 (Thu, 04 Aug 2011)

Log Message

Fix integer overflow in custom bindings for WebGLRenderingContext
https://bugs.webkit.org/show_bug.cgi?id=65646

Patch by Sergey Glazunov <[email protected]> on 2011-08-04
Reviewed by Kenneth Russell.

Source/WebCore:

Test: fast/canvas/webgl/uniform-array-length-overflow.html

* bindings/js/JSWebGLRenderingContextCustom.cpp:
(WebCore::toVector): Don't crash if allocation fails.
* bindings/v8/custom/V8WebGLRenderingContextCustom.cpp:
(WebCore::jsArrayToFloatArray):
(WebCore::jsArrayToIntArray):

LayoutTests:

* fast/canvas/webgl/resources/floatArrayUniformShader.vert: Added.
* fast/canvas/webgl/resources/intArrayUniformShader2.vert: Added.
* fast/canvas/webgl/uniform-array-length-overflow-expected.txt: Added.
* fast/canvas/webgl/uniform-array-length-overflow.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (92412 => 92413)


--- trunk/LayoutTests/ChangeLog	2011-08-04 21:29:08 UTC (rev 92412)
+++ trunk/LayoutTests/ChangeLog	2011-08-04 21:37:03 UTC (rev 92413)
@@ -1,3 +1,15 @@
+2011-08-04  Sergey Glazunov  <[email protected]>
+
+        Fix integer overflow in custom bindings for WebGLRenderingContext
+        https://bugs.webkit.org/show_bug.cgi?id=65646
+
+        Reviewed by Kenneth Russell.
+
+        * fast/canvas/webgl/resources/floatArrayUniformShader.vert: Added.
+        * fast/canvas/webgl/resources/intArrayUniformShader2.vert: Added.
+        * fast/canvas/webgl/uniform-array-length-overflow-expected.txt: Added.
+        * fast/canvas/webgl/uniform-array-length-overflow.html: Added.
+
 2011-08-04  Adam Barth  <[email protected]>
 
         Refine some test expectations to account for flakiness.

Added: trunk/LayoutTests/fast/canvas/webgl/resources/floatArrayUniformShader.vert (0 => 92413)


--- trunk/LayoutTests/fast/canvas/webgl/resources/floatArrayUniformShader.vert	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/resources/floatArrayUniformShader.vert	2011-08-04 21:37:03 UTC (rev 92413)
@@ -0,0 +1,7 @@
+uniform float u_floats[4];
+
+void main()
+{
+	float sum = u_floats[0] + u_floats[1] + u_floats[2] + u_floats[3];
+	gl_Position = vec4(sum, 0.0, 0.0, 1.0);
+}
\ No newline at end of file

Added: trunk/LayoutTests/fast/canvas/webgl/resources/intArrayUniformShader2.vert (0 => 92413)


--- trunk/LayoutTests/fast/canvas/webgl/resources/intArrayUniformShader2.vert	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/resources/intArrayUniformShader2.vert	2011-08-04 21:37:03 UTC (rev 92413)
@@ -0,0 +1,7 @@
+uniform int u_ints[4];
+
+void main()
+{
+	int sum = u_ints[0] + u_ints[1] + u_ints[2] + u_ints[3];
+	gl_Position = vec4(sum, 0.0, 0.0, 1.0);
+}
\ No newline at end of file

Added: trunk/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow-expected.txt (0 => 92413)


--- trunk/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow-expected.txt	2011-08-04 21:37:03 UTC (rev 92413)
@@ -0,0 +1,8 @@
+Verifies that the array conversion code for WebGLRenderingContext.uniform* does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow.html (0 => 92413)


--- trunk/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow.html	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow.html	2011-08-04 21:37:03 UTC (rev 92413)
@@ -0,0 +1,40 @@
+<html>
+<head>
+<link rel="stylesheet" href=""
+<script src=""
+<script src=""
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<script>
+description("Verifies that the array conversion code for WebGLRenderingContext.uniform* does not crash.");
+
+array = [ ];
+for (var i = 0; i < 1 << 15; ++i)
+    array[i] = 0x0c0c0c0c;
+array.length = 0x80000000;
+
+context = create3DContext();
+intProgram = loadProgram(context, "resources/intArrayUniformShader2.vert", "resources/noopUniformShader.frag");
+floatProgram = loadProgram(context, "resources/floatArrayUniformShader.vert", "resources/noopUniformShader.frag");
+intLocation = context.getUniformLocation(intProgram, "u_ints");
+floatLocation = context.getUniformLocation(floatProgram, "u_floats");
+
+context.useProgram(intProgram);
+try {
+    context.uniform4iv(intLocation, array);
+} catch (e) { }
+
+context.useProgram(floatProgram);
+try {
+    context.uniform4fv(floatLocation, array);
+} catch (e) { }
+
+successfullyParsed = true;
+</script>
+
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (92412 => 92413)


--- trunk/Source/WebCore/ChangeLog	2011-08-04 21:29:08 UTC (rev 92412)
+++ trunk/Source/WebCore/ChangeLog	2011-08-04 21:37:03 UTC (rev 92413)
@@ -1,3 +1,18 @@
+2011-08-04  Sergey Glazunov  <[email protected]>
+
+        Fix integer overflow in custom bindings for WebGLRenderingContext
+        https://bugs.webkit.org/show_bug.cgi?id=65646
+
+        Reviewed by Kenneth Russell.
+
+        Test: fast/canvas/webgl/uniform-array-length-overflow.html
+
+        * bindings/js/JSWebGLRenderingContextCustom.cpp:
+        (WebCore::toVector): Don't crash if allocation fails.
+        * bindings/v8/custom/V8WebGLRenderingContextCustom.cpp:
+        (WebCore::jsArrayToFloatArray):
+        (WebCore::jsArrayToIntArray):
+
 2011-08-04  Pratik Solanki  <[email protected]>
 
         Implement CERTIFICATE_CREDENTIALS_SUPPORTED for CFNetwork

Modified: trunk/Source/WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp (92412 => 92413)


--- trunk/Source/WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp	2011-08-04 21:29:08 UTC (rev 92412)
+++ trunk/Source/WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp	2011-08-04 21:37:03 UTC (rev 92413)
@@ -386,6 +386,9 @@
 
     JSC::JSObject* object = asObject(value);
     int32_t length = object->get(exec, JSC::Identifier(exec, "length")).toInt32(exec);
+
+    if (!vector.tryReserveCapacity(length))
+        return false;
     vector.resize(length);
 
     for (int32_t i = 0; i < length; ++i) {

Modified: trunk/Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp (92412 => 92413)


--- trunk/Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp	2011-08-04 21:29:08 UTC (rev 92412)
+++ trunk/Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp	2011-08-04 21:37:03 UTC (rev 92413)
@@ -64,6 +64,7 @@
 #include "V8WebGLUniformLocation.h"
 #include "V8WebGLVertexArrayObjectOES.h"
 #include "WebGLRenderingContext.h"
+#include <limits>
 #include <wtf/FastMalloc.h>
 
 namespace WebCore {
@@ -74,7 +75,8 @@
 {
     // Convert the data element-by-element.
     float* data;
-    if (!tryFastMalloc(len * sizeof(float)).getValue(data))
+    if (len > std::numeric_limits<uint32_t>::max() / sizeof(float)
+        || !tryFastMalloc(len * sizeof(float)).getValue(data))
         return 0;
     for (uint32_t i = 0; i < len; i++) {
         v8::Local<v8::Value> val = array->Get(i);
@@ -93,7 +95,8 @@
 {
     // Convert the data element-by-element.
     int* data;
-    if (!tryFastMalloc(len * sizeof(int)).getValue(data))
+    if (len > std::numeric_limits<uint32_t>::max() / sizeof(int)
+        || !tryFastMalloc(len * sizeof(int)).getValue(data))
         return 0;
     for (uint32_t i = 0; i < len; i++) {
         v8::Local<v8::Value> val = array->Get(i);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to