Title: [270426] trunk
- Revision
- 270426
- Author
- [email protected]
- Date
- 2020-12-04 01:41:08 -0800 (Fri, 04 Dec 2020)
Log Message
WebGL2: Null pointer dereference in std::string implementation in gl::Shader::getTransformFeedbackVaryingMappedName
https://bugs.webkit.org/show_bug.cgi?id=218602
Patch by Rob Buis <[email protected]> on 2020-12-04
Reviewed by Dean Jackson.
Source/ThirdParty/ANGLE:
Skip varying if field is not found since in this
case we have no match for the varying parameter name.
* src/libANGLE/Shader.cpp:
(gl::Shader::getTransformFeedbackVaryingMappedName):
LayoutTests:
Add test that triggers the Shader::getTransformFeedbackVaryingMappedName
field code.
* fast/canvas/webgl/webgl-transformed-varying-name-crash-expected.txt: Added.
* fast/canvas/webgl/webgl-transformed-varying-name-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (270425 => 270426)
--- trunk/LayoutTests/ChangeLog 2020-12-04 07:10:03 UTC (rev 270425)
+++ trunk/LayoutTests/ChangeLog 2020-12-04 09:41:08 UTC (rev 270426)
@@ -1,3 +1,16 @@
+2020-12-04 Rob Buis <[email protected]>
+
+ WebGL2: Null pointer dereference in std::string implementation in gl::Shader::getTransformFeedbackVaryingMappedName
+ https://bugs.webkit.org/show_bug.cgi?id=218602
+
+ Reviewed by Dean Jackson.
+
+ Add test that triggers the Shader::getTransformFeedbackVaryingMappedName
+ field code.
+
+ * fast/canvas/webgl/webgl-transformed-varying-name-crash-expected.txt: Added.
+ * fast/canvas/webgl/webgl-transformed-varying-name-crash.html: Added.
+
2020-12-03 Simon Fraser <[email protected]>
Only the first wheel event in a gesture should be cancelable
Added: trunk/LayoutTests/fast/canvas/webgl/webgl-transformed-varying-name-crash-expected.txt (0 => 270426)
--- trunk/LayoutTests/fast/canvas/webgl/webgl-transformed-varying-name-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/webgl-transformed-varying-name-crash-expected.txt 2020-12-04 09:41:08 UTC (rev 270426)
@@ -0,0 +1,2 @@
+PASS. You didn't crash.
+
Added: trunk/LayoutTests/fast/canvas/webgl/webgl-transformed-varying-name-crash.html (0 => 270426)
--- trunk/LayoutTests/fast/canvas/webgl/webgl-transformed-varying-name-crash.html (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/webgl-transformed-varying-name-crash.html 2020-12-04 09:41:08 UTC (rev 270426)
@@ -0,0 +1,92 @@
+<!DOCTYPE html>
+<head>
+<meta charset="UTF-8">
+<script id='2d-vertex-shader' type='x-shader/x-vertex'>#version 300 es
+ precision mediump float;
+ in vec4 a_position;
+ struct S
+ {
+ mat3x4 m;
+ };
+ out S matrix;
+ out vec3 vector;
+
+ void main()
+ {
+ matrix.m = mat3x4(1.0);
+ vector = vec3(1.0);
+ gl_Position = a_position;
+ }
+</script>
+<script id='2d-fragment-shader' type='x-shader/x-fragment'>#version 300 es
+ precision mediump float;
+ uniform vec3 uCol;
+ out vec4 col;
+ void main(){
+ col = vec4(uCol,1.);
+ }
+</script>
+<script>
+ function createShader(gl, sourceCode, type, type_str) {
+ var shader = gl.createShader(type);
+ gl.shaderSource(shader, sourceCode);
+ gl.compileShader(shader);
+
+ if (!gl.getShaderParameter(shader, gl.COMPILE_STATUS)) {
+ var info = gl.getShaderInfoLog(shader);
+ console.log(info);
+ }
+
+ return shader;
+ }
+
+ function createProgram(gl, vertexShader, fragmentShader) {
+ var program = gl.createProgram();
+ gl.attachShader(program, vertexShader);
+ gl.attachShader(program, fragmentShader);
+ transform_outs = ["vector"];
+ transform_feed = gl.createTransformFeedback();
+ gl.bindTransformFeedback(gl.TRANSFORM_FEEDBACK,transform_feed);
+ gl.transformFeedbackVaryings(program,transform_outs,gl.INTERLEAVED_ATTRIBS);
+ gl.linkProgram(program);
+ active_info = gl.getTransformFeedbackVarying(program,0);
+ gl.useProgram(program);
+
+ if (!gl.getProgramParameter(program, gl.LINK_STATUS)) {
+ var info = gl.getProgramInfoLog(program);
+ console.log(info);
+ }
+ return program
+ }
+
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ function runTest() {
+ var canvas = document.createElement("canvas");
+ canvas.width = "640";
+ canvas.height = "480"
+ canvas.style.border = "thick solid #00FFFF";
+ var webgl_1 = canvas.getContext("webgl2");
+ document.body.append(canvas)
+
+ var schader_script_3 = document.getElementById('2d-vertex-shader');
+ var shader_source_3 = schader_script_3.text;
+ var schader_script_4 = document.getElementById('2d-fragment-shader');
+ var shader_source_4 = schader_script_4.text;
+
+ var vertexShader = createShader(webgl_1, shader_source_3, webgl_1.VERTEX_SHADER,"VERTEX_SHADER")
+ var fragmentShader = createShader(webgl_1, shader_source_4, webgl_1.FRAGMENT_SHADER,"FRAGMENT_SHADER")
+ createProgram(webgl_1, vertexShader, fragmentShader)
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+</script>
+</head>
+<body _onload_="runTest()">
+ <div>PASS. You didn't crash.</div>
+</body>
+</html>
Modified: trunk/Source/ThirdParty/ANGLE/ChangeLog (270425 => 270426)
--- trunk/Source/ThirdParty/ANGLE/ChangeLog 2020-12-04 07:10:03 UTC (rev 270425)
+++ trunk/Source/ThirdParty/ANGLE/ChangeLog 2020-12-04 09:41:08 UTC (rev 270426)
@@ -1,3 +1,16 @@
+2020-12-04 Rob Buis <[email protected]>
+
+ WebGL2: Null pointer dereference in std::string implementation in gl::Shader::getTransformFeedbackVaryingMappedName
+ https://bugs.webkit.org/show_bug.cgi?id=218602
+
+ Reviewed by Dean Jackson.
+
+ Skip varying if field is not found since in this
+ case we have no match for the varying parameter name.
+
+ * src/libANGLE/Shader.cpp:
+ (gl::Shader::getTransformFeedbackVaryingMappedName):
+
2020-12-03 Adam Roben <[email protected]>
Adopt FALLBACK_PLATFORM
Modified: trunk/Source/ThirdParty/ANGLE/src/libANGLE/Shader.cpp (270425 => 270426)
--- trunk/Source/ThirdParty/ANGLE/src/libANGLE/Shader.cpp 2020-12-04 07:10:03 UTC (rev 270425)
+++ trunk/Source/ThirdParty/ANGLE/src/libANGLE/Shader.cpp 2020-12-04 09:41:08 UTC (rev 270426)
@@ -655,7 +655,9 @@
{
GLuint fieldIndex = 0;
const auto *field = varying.findField(tfVaryingName, &fieldIndex);
- ASSERT(field != nullptr && !field->isStruct() && !field->isArray());
+ if (!field)
+ continue;
+ ASSERT(!field->isStruct() && !field->isArray());
return varying.mappedName + "." + field->mappedName;
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
