Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0fe9ff8c6712d184e1ea0ecf178381dceb30fd30
https://github.com/WebKit/WebKit/commit/0fe9ff8c6712d184e1ea0ecf178381dceb30fd30
Author: Roberto Rodriguez <[email protected]>
Date: 2026-05-27 (Wed, 27 May 2026)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/VertexArrayMtl.mm
M Source/ThirdParty/ANGLE/src/tests/gl_tests/VertexAttributeTest.cpp
Log Message:
-----------
[ANGLE] Metal backend: Fix crash on OOB vertex attribute offset in
syncDirtyAttrib
https://bugs.webkit.org/show_bug.cgi?id=309989
rdar://172179424
Reviewed by Kimmo Kinnunen.
VertexArrayMtl::syncDirtyAttrib's non-conversion path stores
binding.getOffset() unchecked and crashes in VertexArrayMtl::setupDraw
when the offset exceeds the buffer size.
Fix by hoisting GetVertexCount check before the needConversion branch so
both paths are guarded, clamping to safe defaults when no vertices fit.
Also rewrite GetVertexCount/GetVertexCountWithConversion using
CheckedNumeric to handle negative offsets and zero strides.
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/VertexArrayMtl.mm:
(rx::VertexArrayMtl::syncDirtyAttrib):
(rx::VertexArrayMtl::convertVertexBuffer):
* Source/ThirdParty/ANGLE/src/tests/gl_tests/VertexAttributeTest.cpp:
Originally-landed-as: 305413.586@rapid/safari-7624.2.5.110-branch
(845230f29cf4). rdar://176062010
Canonical link: https://commits.webkit.org/314003@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
