Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 630efa7ca19ef8deff2e8804fcee3bf725ae7bf0
https://github.com/WebKit/WebKit/commit/630efa7ca19ef8deff2e8804fcee3bf725ae7bf0
Author: Mike Wyrzykowski <[email protected]>
Date: 2024-04-11 (Thu, 11 Apr 2024)
Changed paths:
M Source/WebGPU/WebGPU/RenderPipeline.mm
Log Message:
-----------
[WebGPU] Out of bounds Vector::operator[] if maxGroupIndex == uint32_max
https://bugs.webkit.org/show_bug.cgi?id=272436
<radar://125542935>
Reviewed by Tadeu Zagallo.
If maxGroupIndex == UINT32_MAX then the following expression:
size_t bindGroupLayoutCount = maxGroupIndex + 1;
evaluates to zero because the right hand side is in 32-bits.
And then we proceed to loop over all the indices, resulting in
a call to Vector::operator[](UINT32_MAX) which overflows.
Correct this by casting to size_t but then also checking for
zero in case the platform's size_t is still 32 bits. We could
also cast the 32-bit integer to 64-bits, but this would fail
if maxGroupIndex was uint64_t, so the zero check is safer.
Alternatively, we could use the functions in CheckedArithmetic.h,
but this is equivalent for adding 1.
* Source/WebGPU/WebGPU/RenderPipeline.mm:
(WebGPU::Device::addPipelineLayouts):
Canonical link: https://commits.webkit.org/277395@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
