Diff
Copied: branches/chromium/835/LayoutTests/fast/canvas/webgl/resources/floatArrayUniformShader.vert (from rev 92413, trunk/LayoutTests/fast/canvas/webgl/resources/floatArrayUniformShader.vert) (0 => 92505)
--- branches/chromium/835/LayoutTests/fast/canvas/webgl/resources/floatArrayUniformShader.vert (rev 0)
+++ branches/chromium/835/LayoutTests/fast/canvas/webgl/resources/floatArrayUniformShader.vert 2011-08-05 20:34:40 UTC (rev 92505)
@@ -0,0 +1,7 @@
+uniform float u_floats[4];
+
+void main()
+{
+ float sum = u_floats[0] + u_floats[1] + u_floats[2] + u_floats[3];
+ gl_Position = vec4(sum, 0.0, 0.0, 1.0);
+}
\ No newline at end of file
Copied: branches/chromium/835/LayoutTests/fast/canvas/webgl/resources/intArrayUniformShader2.vert (from rev 92413, trunk/LayoutTests/fast/canvas/webgl/resources/intArrayUniformShader2.vert) (0 => 92505)
--- branches/chromium/835/LayoutTests/fast/canvas/webgl/resources/intArrayUniformShader2.vert (rev 0)
+++ branches/chromium/835/LayoutTests/fast/canvas/webgl/resources/intArrayUniformShader2.vert 2011-08-05 20:34:40 UTC (rev 92505)
@@ -0,0 +1,7 @@
+uniform int u_ints[4];
+
+void main()
+{
+ int sum = u_ints[0] + u_ints[1] + u_ints[2] + u_ints[3];
+ gl_Position = vec4(sum, 0.0, 0.0, 1.0);
+}
\ No newline at end of file
Copied: branches/chromium/835/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow-expected.txt (from rev 92413, trunk/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow-expected.txt) (0 => 92505)
--- branches/chromium/835/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow-expected.txt (rev 0)
+++ branches/chromium/835/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow-expected.txt 2011-08-05 20:34:40 UTC (rev 92505)
@@ -0,0 +1,8 @@
+Verifies that the array conversion code for WebGLRenderingContext.uniform* does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: branches/chromium/835/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow.html (from rev 92413, trunk/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow.html) (0 => 92505)
--- branches/chromium/835/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow.html (rev 0)
+++ branches/chromium/835/LayoutTests/fast/canvas/webgl/uniform-array-length-overflow.html 2011-08-05 20:34:40 UTC (rev 92505)
@@ -0,0 +1,40 @@
+<html>
+<head>
+<link rel="stylesheet" href=""
+<script src=""
+<script src=""
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<script>
+description("Verifies that the array conversion code for WebGLRenderingContext.uniform* does not crash.");
+
+array = [ ];
+for (var i = 0; i < 1 << 15; ++i)
+ array[i] = 0x0c0c0c0c;
+array.length = 0x80000000;
+
+context = create3DContext();
+intProgram = loadProgram(context, "resources/intArrayUniformShader2.vert", "resources/noopUniformShader.frag");
+floatProgram = loadProgram(context, "resources/floatArrayUniformShader.vert", "resources/noopUniformShader.frag");
+intLocation = context.getUniformLocation(intProgram, "u_ints");
+floatLocation = context.getUniformLocation(floatProgram, "u_floats");
+
+context.useProgram(intProgram);
+try {
+ context.uniform4iv(intLocation, array);
+} catch (e) { }
+
+context.useProgram(floatProgram);
+try {
+ context.uniform4fv(floatLocation, array);
+} catch (e) { }
+
+successfullyParsed = true;
+</script>
+
+<script src=""
+</body>
+</html>
Modified: branches/chromium/835/Source/WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp (92504 => 92505)
--- branches/chromium/835/Source/WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp 2011-08-05 20:33:15 UTC (rev 92504)
+++ branches/chromium/835/Source/WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp 2011-08-05 20:34:40 UTC (rev 92505)
@@ -386,6 +386,9 @@
JSC::JSObject* object = asObject(value);
int32_t length = object->get(exec, JSC::Identifier(exec, "length")).toInt32(exec);
+
+ if (!vector.tryReserveCapacity(length))
+ return false;
vector.resize(length);
for (int32_t i = 0; i < length; ++i) {
Modified: branches/chromium/835/Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp (92504 => 92505)
--- branches/chromium/835/Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp 2011-08-05 20:33:15 UTC (rev 92504)
+++ branches/chromium/835/Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp 2011-08-05 20:34:40 UTC (rev 92505)
@@ -64,6 +64,7 @@
#include "V8WebGLUniformLocation.h"
#include "V8WebGLVertexArrayObjectOES.h"
#include "WebGLRenderingContext.h"
+#include <limits>
#include <wtf/FastMalloc.h>
namespace WebCore {
@@ -74,7 +75,8 @@
{
// Convert the data element-by-element.
float* data;
- if (!tryFastMalloc(len * sizeof(float)).getValue(data))
+ if (len > std::numeric_limits<uint32_t>::max() / sizeof(float)
+ || !tryFastMalloc(len * sizeof(float)).getValue(data))
return 0;
for (uint32_t i = 0; i < len; i++) {
v8::Local<v8::Value> val = array->Get(i);
@@ -93,7 +95,8 @@
{
// Convert the data element-by-element.
int* data;
- if (!tryFastMalloc(len * sizeof(int)).getValue(data))
+ if (len > std::numeric_limits<uint32_t>::max() / sizeof(int)
+ || !tryFastMalloc(len * sizeof(int)).getValue(data))
return 0;
for (uint32_t i = 0; i < len; i++) {
v8::Local<v8::Value> val = array->Get(i);
