Skip to site navigation (Press enter)

[webkit-changes] [270160] trunk

commit-queue Sun, 22 Nov 2020 00:30:28 -0800

Title: [270160] trunk

Revision: 270160
Author: [email protected]
Date: 2020-11-22 00:30:16 -0800 (Sun, 22 Nov 2020)

Log Message

Fix getIndexedParameter indexing crash
https://bugs.webkit.org/show_bug.cgi?id=218601


Patch by Rob Buis <[email protected]> on 2020-11-22
Reviewed by Ryosuke Niwa.

Source/WebCore:

Like in setBoundIndexedTransformFeedbackBuffer ASSERT, the index should
always be smaller than size for indexing to be safe, so bail if the index
is greater than or equal to size.

* html/canvas/WebGLTransformFeedback.cpp:
(WebCore::WebGLTransformFeedback::getBoundIndexedTransformFeedbackBuffer):

LayoutTests:

Add testcase.

* fast/canvas/webgl/getIndexedParameter-crash-expected.txt: Added.
* fast/canvas/webgl/getIndexedParameter-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/canvas/WebGLTransformFeedback.cpp

Added Paths

trunk/LayoutTests/fast/canvas/webgl/getIndexedParameter-crash-expected.txt
trunk/LayoutTests/fast/canvas/webgl/getIndexedParameter-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (270159 => 270160)


--- trunk/LayoutTests/ChangeLog	2020-11-22 06:09:32 UTC (rev 270159)
+++ trunk/LayoutTests/ChangeLog	2020-11-22 08:30:16 UTC (rev 270160)
@@ -1,3 +1,15 @@
+2020-11-22  Rob Buis  <[email protected]>
+
+        Fix getIndexedParameter indexing crash
+        https://bugs.webkit.org/show_bug.cgi?id=218601
+
+        Reviewed by Ryosuke Niwa.
+
+        Add testcase.
+
+        * fast/canvas/webgl/getIndexedParameter-crash-expected.txt: Added.
+        * fast/canvas/webgl/getIndexedParameter-crash.html: Added.
+
 2020-11-21  Sihui Liu  <[email protected]>
 
         Implement audio capture for SpeechRecognition on macOS

Added: trunk/LayoutTests/fast/canvas/webgl/getIndexedParameter-crash-expected.txt (0 => 270160)


--- trunk/LayoutTests/fast/canvas/webgl/getIndexedParameter-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/getIndexedParameter-crash-expected.txt	2020-11-22 08:30:16 UTC (rev 270160)
@@ -0,0 +1,6 @@
+CONSOLE MESSAGE: WebGL: INVALID_VALUE: getIndexedParameter: index out of range
+PASS WebGL call did not crash.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/canvas/webgl/getIndexedParameter-crash.html (0 => 270160)


--- trunk/LayoutTests/fast/canvas/webgl/getIndexedParameter-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/getIndexedParameter-crash.html	2020-11-22 08:30:16 UTC (rev 270160)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<head>
+<meta charset="UTF-8">
+<script src=""
+<script src=""
+<script>
+function runTest() {
+    var canvas = document.createElement("canvas");
+    var webgl_ctx = canvas.getContext("webgl2");
+
+    webgl_ctx.getIndexedParameter(webgl_ctx.TRANSFORM_FEEDBACK_BUFFER_BINDING, 4);
+
+    testPassed("WebGL call did not crash.");
+}
+</script>
+</head>
+<body _onload_="runTest()">
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (270159 => 270160)


--- trunk/Source/WebCore/ChangeLog	2020-11-22 06:09:32 UTC (rev 270159)
+++ trunk/Source/WebCore/ChangeLog	2020-11-22 08:30:16 UTC (rev 270160)
@@ -1,3 +1,17 @@
+2020-11-22  Rob Buis  <[email protected]>
+
+        Fix getIndexedParameter indexing crash
+        https://bugs.webkit.org/show_bug.cgi?id=218601
+
+        Reviewed by Ryosuke Niwa.
+
+        Like in setBoundIndexedTransformFeedbackBuffer ASSERT, the index should
+        always be smaller than size for indexing to be safe, so bail if the index
+        is greater than or equal to size.
+
+        * html/canvas/WebGLTransformFeedback.cpp:
+        (WebCore::WebGLTransformFeedback::getBoundIndexedTransformFeedbackBuffer):
+
 2020-11-21  Ada Chan  <[email protected]>
 
         Convert PlatformXRCocoa.cpp to Objective C++

Modified: trunk/Source/WebCore/html/canvas/WebGLTransformFeedback.cpp (270159 => 270160)


--- trunk/Source/WebCore/html/canvas/WebGLTransformFeedback.cpp	2020-11-22 06:09:32 UTC (rev 270159)
+++ trunk/Source/WebCore/html/canvas/WebGLTransformFeedback.cpp	2020-11-22 08:30:16 UTC (rev 270160)
@@ -76,7 +76,7 @@
 
 bool WebGLTransformFeedback::getBoundIndexedTransformFeedbackBuffer(GCGLuint index, WebGLBuffer** outBuffer)
 {
-    if (index > m_boundIndexedTransformFeedbackBuffers.size())
+    if (index >= m_boundIndexedTransformFeedbackBuffers.size())
         return false;
     *outBuffer = m_boundIndexedTransformFeedbackBuffers[index].get();
     return true;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes