Diff
Modified: branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog (187259 => 187260)
--- branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog 2015-07-23 22:16:18 UTC (rev 187259)
+++ branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog 2015-07-23 22:18:42 UTC (rev 187260)
@@ -1,3 +1,18 @@
+2015-07-23 Babak Shafiei <[email protected]>
+
+ Merge r187189.
+
+ 2015-07-23 Dean Jackson <[email protected]>
+
+ Out of bounds in WebGLRenderingContext::simulateVertexAttrib0
+ https://bugs.webkit.org/show_bug.cgi?id=147176
+ <rdar://problem/21567767>
+
+ Reviewed by Oliver Hunt.
+
+ * fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays-expected.txt: Added.
+ * fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays.html: Added.
+
2015-07-18 David Kilzer <[email protected]>
Merge r186988. rdar://problem/21709404
Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays-expected.txt (0 => 187260)
--- branches/safari-600.1.4.17-branch/LayoutTests/fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays-expected.txt (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays-expected.txt 2015-07-23 22:18:42 UTC (rev 187260)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 32: WebGL: INVALID_OPERATION: drawArrays: attempt to access outside the bounds of the simulated vertexAttrib0 array
+
Added: branches/safari-600.1.4.17-branch/LayoutTests/fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays.html (0 => 187260)
--- branches/safari-600.1.4.17-branch/LayoutTests/fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays.html (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays.html 2015-07-23 22:18:42 UTC (rev 187260)
@@ -0,0 +1,33 @@
+<script>
+
+if (window.testRunner) {
+ window.testRunner.dumpAsText();
+ testRunner.overridePreference("WebKitWebGLEnabled", "1");
+}
+
+function createShader(str, type) {
+ var shader = gl.createShader(type);
+ gl.shaderSource(shader, str);
+ gl.compileShader(shader);
+ return shader;
+}
+
+function createProgram(vstr, fstr) {
+ var program = gl.createProgram();
+ var vshader = createShader(vstr, gl.VERTEX_SHADER);
+ var fshader = createShader(fstr, gl.FRAGMENT_SHADER);
+ gl.attachShader(program, vshader);
+ gl.attachShader(program, fshader);
+ gl.linkProgram(program);
+ return program;
+}
+
+var canvas = document.createElement("canvas");
+var gl = canvas.getContext("webgl");
+
+var vs = 'attribute vec2 pos; void main() { gl_Position = vec4(pos, 0, 1); }';
+var fs = 'precision mediump float; void main() { gl_FragColor = vec4(0,0.8,0,1); }';
+var program = createProgram(vs, fs);
+gl.useProgram(program);
+gl.drawArrays(0, 0, 0x40000000);
+</script>
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog (187259 => 187260)
--- branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog 2015-07-23 22:16:18 UTC (rev 187259)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog 2015-07-23 22:18:42 UTC (rev 187260)
@@ -1,3 +1,30 @@
+2015-07-23 Babak Shafiei <[email protected]>
+
+ Merge r187189.
+
+ 2015-07-23 Dean Jackson <[email protected]>
+
+ Out of bounds in WebGLRenderingContext::simulateVertexAttrib0
+ https://bugs.webkit.org/show_bug.cgi?id=147176
+ <rdar://problem/21567767>
+
+ Reviewed by Oliver Hunt.
+
+ Test: fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays.html
+
+ Add overflow checking for the drawing calls, specifically the way
+ they may simulate vertexAttrib0.
+
+ * html/canvas/WebGLRenderingContextBase.cpp:
+ (WebCore::WebGLRenderingContextBase::validateDrawArrays): Call new validation method.
+ (WebCore::WebGLRenderingContextBase::validateDrawElements): Ditto.
+ (WebCore::WebGLRenderingContextBase::validateSimulatedVertexAttrib0): New method that
+ validates the parameters used to create the simulated attribute.
+ (WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): No need to do overflow
+ checking here now that the validation method does it for us.
+ (WebCore::WebGLRenderingContextBase::validateVertexAttributes): Deleted.
+ * html/canvas/WebGLRenderingContextBase.h: Add new validation method.
+
2015-07-20 Lucas Forschler <[email protected]>
Merge r186895
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (187259 => 187260)
--- branches/safari-600.1.4.17-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp 2015-07-23 22:16:18 UTC (rev 187259)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp 2015-07-23 22:18:42 UTC (rev 187260)
@@ -1708,7 +1708,6 @@
if (elementCount <= 0)
return true;
-
// Look in each consumed vertex attrib (by the current program).
bool sawNonInstancedAttrib = false;
bool sawEnabledAttrib = false;
@@ -1793,6 +1792,10 @@
synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, functionName, "attempt to access out of bounds arrays");
return false;
}
+ if (!validateSimulatedVertexAttrib0(checkedSum.unsafeGet() - 1)) {
+ synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, functionName, "attempt to access outside the bounds of the simulated vertexAttrib0 array");
+ return false;
+ }
} else {
if (!validateVertexAttributes(0)) {
synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, functionName, "attribs not setup correctly");
@@ -1873,6 +1876,12 @@
return false;
}
}
+
+ if (!validateSimulatedVertexAttrib0(numElements)) {
+ synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, functionName, "attempt to access outside the bounds of the simulated vertexAttrib0 array");
+ return false;
+ }
+
} else {
if (!validateVertexAttributes(0)) {
synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, functionName, "attribs not setup correctly");
@@ -4669,36 +4678,69 @@
m_vertexAttrib0UsedBefore = false;
}
+bool WebGLRenderingContextBase::validateSimulatedVertexAttrib0(GC3Dsizei numVertex)
+{
+ if (numVertex < 0)
+ return false;
+
+ if (!m_currentProgram)
+ return true;
+
+ bool usingVertexAttrib0 = m_currentProgram->isUsingVertexAttrib0();
+ if (!usingVertexAttrib0)
+ return true;
+
+ auto& state = m_boundVertexArrayObject->getVertexAttribState(0);
+ if (state.enabled)
+ return true;
+
+ Checked<GC3Dsizei, RecordOverflow> bufferSize(numVertex);
+ bufferSize += 1;
+ bufferSize *= Checked<GC3Dsizei>(4);
+ Checked<GC3Dsizeiptr, RecordOverflow> bufferDataSize(bufferSize);
+ bufferDataSize *= Checked<GC3Dsizeiptr>(sizeof(GC3Dfloat));
+ return !bufferDataSize.hasOverflowed();
+}
+
bool WebGLRenderingContextBase::simulateVertexAttrib0(GC3Dsizei numVertex)
{
- const WebGLVertexArrayObjectBase::VertexAttribState& state = m_boundVertexArrayObject->getVertexAttribState(0);
- const VertexAttribValue& attribValue = m_vertexAttribValue[0];
if (!m_currentProgram)
return false;
bool usingVertexAttrib0 = m_currentProgram->isUsingVertexAttrib0();
if (usingVertexAttrib0)
m_vertexAttrib0UsedBefore = true;
+
+ auto& state = m_boundVertexArrayObject->getVertexAttribState(0);
if (state.enabled && usingVertexAttrib0)
return false;
if (!usingVertexAttrib0 && !m_vertexAttrib0UsedBefore)
return false;
m_vertexAttrib0UsedBefore = true;
m_context->bindBuffer(GraphicsContext3D::ARRAY_BUFFER, m_vertexAttrib0Buffer->object());
- Checked<GC3Dsizeiptr, RecordOverflow> bufferDataSize = (numVertex + 1) * 4 * sizeof(GC3Dfloat);
- if (bufferDataSize.hasOverflowed())
- return false;
+
+ Checked<GC3Dsizei> bufferSize(numVertex);
+ bufferSize += 1;
+ bufferSize *= Checked<GC3Dsizei>(4);
+
+ Checked<GC3Dsizeiptr> bufferDataSize(bufferSize);
+ bufferDataSize *= Checked<GC3Dsizeiptr>(sizeof(GC3Dfloat));
+
if (bufferDataSize.unsafeGet() > m_vertexAttrib0BufferSize) {
m_context->bufferData(GraphicsContext3D::ARRAY_BUFFER, bufferDataSize.unsafeGet(), 0, GraphicsContext3D::DYNAMIC_DRAW);
m_vertexAttrib0BufferSize = bufferDataSize.unsafeGet();
m_forceAttrib0BufferRefill = true;
}
+
+ auto& attribValue = m_vertexAttribValue[0];
+
if (usingVertexAttrib0
&& (m_forceAttrib0BufferRefill
|| attribValue.value[0] != m_vertexAttrib0BufferValue[0]
|| attribValue.value[1] != m_vertexAttrib0BufferValue[1]
|| attribValue.value[2] != m_vertexAttrib0BufferValue[2]
|| attribValue.value[3] != m_vertexAttrib0BufferValue[3])) {
- auto bufferData = std::make_unique<GC3Dfloat[]>((numVertex + 1) * 4);
+
+ auto bufferData = std::make_unique<GC3Dfloat[]>(bufferSize.unsafeGet());
for (GC3Dsizei ii = 0; ii < numVertex + 1; ++ii) {
bufferData[ii * 4] = attribValue.value[0];
bufferData[ii * 4 + 1] = attribValue.value[1];
