[webkit-changes] [187261] branches/safari-600.8-branch

Thu, 23 Jul 2015 15:20:07 -0700

Title: [187261] branches/safari-600.8-branch

Diff

Modified: branches/safari-600.8-branch/LayoutTests/ChangeLog (187260 => 187261)


--- branches/safari-600.8-branch/LayoutTests/ChangeLog	2015-07-23 22:18:42 UTC (rev 187260)
+++ branches/safari-600.8-branch/LayoutTests/ChangeLog	2015-07-23 22:19:31 UTC (rev 187261)
@@ -1,3 +1,18 @@
+2015-07-23  Babak Shafiei  <[email protected]>
+
+        Merge r187189.
+
+    2015-07-23  Dean Jackson  <[email protected]>
+
+            Out of bounds in WebGLRenderingContext::simulateVertexAttrib0
+            https://bugs.webkit.org/show_bug.cgi?id=147176
+            <rdar://problem/21567767>
+
+            Reviewed by Oliver Hunt.
+
+            * fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays-expected.txt: Added.
+            * fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays.html: Added.
+
 2015-07-23  Anders Carlsson  <[email protected]>
 
         Skip a couple of region selection tests.

Added: branches/safari-600.8-branch/LayoutTests/fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays-expected.txt (0 => 187261)


--- branches/safari-600.8-branch/LayoutTests/fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays-expected.txt	                        (rev 0)
+++ branches/safari-600.8-branch/LayoutTests/fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays-expected.txt	2015-07-23 22:19:31 UTC (rev 187261)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 32: WebGL: INVALID_OPERATION: drawArrays: attempt to access outside the bounds of the simulated vertexAttrib0 array
+

Added: branches/safari-600.8-branch/LayoutTests/fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays.html (0 => 187261)


--- branches/safari-600.8-branch/LayoutTests/fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays.html	                        (rev 0)
+++ branches/safari-600.8-branch/LayoutTests/fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays.html	2015-07-23 22:19:31 UTC (rev 187261)
@@ -0,0 +1,33 @@
+<script>
+
+if (window.testRunner) {
+    window.testRunner.dumpAsText();
+    testRunner.overridePreference("WebKitWebGLEnabled", "1");
+}
+
+function createShader(str, type) {
+    var shader = gl.createShader(type);
+    gl.shaderSource(shader, str);
+    gl.compileShader(shader);
+    return shader;
+}
+
+function createProgram(vstr, fstr) {
+    var program = gl.createProgram();
+    var vshader = createShader(vstr, gl.VERTEX_SHADER);
+    var fshader = createShader(fstr, gl.FRAGMENT_SHADER);
+    gl.attachShader(program, vshader);
+    gl.attachShader(program, fshader);
+    gl.linkProgram(program);
+    return program;
+}
+
+var canvas = document.createElement("canvas");
+var gl = canvas.getContext("webgl");
+
+var vs = 'attribute vec2 pos; void main() { gl_Position = vec4(pos, 0, 1); }';
+var fs = 'precision mediump float; void main() { gl_FragColor = vec4(0,0.8,0,1); }';
+var program = createProgram(vs, fs);
+gl.useProgram(program);
+gl.drawArrays(0, 0, 0x40000000);
+</script>

Modified: branches/safari-600.8-branch/Source/WebCore/ChangeLog (187260 => 187261)


--- branches/safari-600.8-branch/Source/WebCore/ChangeLog	2015-07-23 22:18:42 UTC (rev 187260)
+++ branches/safari-600.8-branch/Source/WebCore/ChangeLog	2015-07-23 22:19:31 UTC (rev 187261)
@@ -1,3 +1,30 @@
+2015-07-23  Babak Shafiei  <[email protected]>
+
+        Merge r187189.
+
+    2015-07-23  Dean Jackson  <[email protected]>
+
+            Out of bounds in WebGLRenderingContext::simulateVertexAttrib0
+            https://bugs.webkit.org/show_bug.cgi?id=147176
+            <rdar://problem/21567767>
+
+            Reviewed by Oliver Hunt.
+
+            Test: fast/canvas/webgl/out-of-bounds-simulated-vertexAttrib0-drawArrays.html
+
+            Add overflow checking for the drawing calls, specifically the way
+            they may simulate vertexAttrib0.
+
+            * html/canvas/WebGLRenderingContextBase.cpp:
+            (WebCore::WebGLRenderingContextBase::validateDrawArrays): Call new validation method.
+            (WebCore::WebGLRenderingContextBase::validateDrawElements): Ditto.
+            (WebCore::WebGLRenderingContextBase::validateSimulatedVertexAttrib0): New method that
+            validates the parameters used to create the simulated attribute.
+            (WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): No need to do overflow
+            checking here now that the validation method does it for us.
+            (WebCore::WebGLRenderingContextBase::validateVertexAttributes): Deleted.
+            * html/canvas/WebGLRenderingContextBase.h: Add new validation method.
+
 2015-07-15  Matthew Hanson  <[email protected]>
 
         Merge r186863. rdar://problem/21714843

Modified: branches/safari-600.8-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (187260 => 187261)


--- branches/safari-600.8-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2015-07-23 22:18:42 UTC (rev 187260)
+++ branches/safari-600.8-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2015-07-23 22:19:31 UTC (rev 187261)
@@ -1708,7 +1708,6 @@
     if (elementCount <= 0)
         return true;
 
-
     // Look in each consumed vertex attrib (by the current program).
     bool sawNonInstancedAttrib = false;
     bool sawEnabledAttrib = false;
@@ -1793,6 +1792,10 @@
             synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, functionName, "attempt to access out of bounds arrays");
             return false;
         }
+        if (!validateSimulatedVertexAttrib0(checkedSum.unsafeGet() - 1)) {
+            synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, functionName, "attempt to access outside the bounds of the simulated vertexAttrib0 array");
+            return false;
+        }
     } else {
         if (!validateVertexAttributes(0)) {
             synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, functionName, "attribs not setup correctly");
@@ -1873,6 +1876,12 @@
                 return false;
             }
         }
+
+        if (!validateSimulatedVertexAttrib0(numElements)) {
+            synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, functionName, "attempt to access outside the bounds of the simulated vertexAttrib0 array");
+            return false;
+        }
+
     } else {
         if (!validateVertexAttributes(0)) {
             synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, functionName, "attribs not setup correctly");
@@ -4669,36 +4678,69 @@
     m_vertexAttrib0UsedBefore = false;
 }
 
+bool WebGLRenderingContextBase::validateSimulatedVertexAttrib0(GC3Dsizei numVertex)
+{
+    if (numVertex < 0)
+        return false;
+
+    if (!m_currentProgram)
+        return true;
+
+    bool usingVertexAttrib0 = m_currentProgram->isUsingVertexAttrib0();
+    if (!usingVertexAttrib0)
+        return true;
+
+    auto& state = m_boundVertexArrayObject->getVertexAttribState(0);
+    if (state.enabled)
+        return true;
+
+    Checked<GC3Dsizei, RecordOverflow> bufferSize(numVertex);
+    bufferSize += 1;
+    bufferSize *= Checked<GC3Dsizei>(4);
+    Checked<GC3Dsizeiptr, RecordOverflow> bufferDataSize(bufferSize);
+    bufferDataSize *= Checked<GC3Dsizeiptr>(sizeof(GC3Dfloat));
+    return !bufferDataSize.hasOverflowed();
+}
+
 bool WebGLRenderingContextBase::simulateVertexAttrib0(GC3Dsizei numVertex)
 {
-    const WebGLVertexArrayObjectBase::VertexAttribState& state = m_boundVertexArrayObject->getVertexAttribState(0);
-    const VertexAttribValue& attribValue = m_vertexAttribValue[0];
     if (!m_currentProgram)
         return false;
     bool usingVertexAttrib0 = m_currentProgram->isUsingVertexAttrib0();
     if (usingVertexAttrib0)
         m_vertexAttrib0UsedBefore = true;
+
+    auto& state = m_boundVertexArrayObject->getVertexAttribState(0);
     if (state.enabled && usingVertexAttrib0)
         return false;
     if (!usingVertexAttrib0 && !m_vertexAttrib0UsedBefore)
         return false;
     m_vertexAttrib0UsedBefore = true;
     m_context->bindBuffer(GraphicsContext3D::ARRAY_BUFFER, m_vertexAttrib0Buffer->object());
-    Checked<GC3Dsizeiptr, RecordOverflow> bufferDataSize = (numVertex + 1) * 4 * sizeof(GC3Dfloat);
-    if (bufferDataSize.hasOverflowed())
-        return false;
+    
+    Checked<GC3Dsizei> bufferSize(numVertex);
+    bufferSize += 1;
+    bufferSize *= Checked<GC3Dsizei>(4);
+
+    Checked<GC3Dsizeiptr> bufferDataSize(bufferSize);
+    bufferDataSize *= Checked<GC3Dsizeiptr>(sizeof(GC3Dfloat));
+   
     if (bufferDataSize.unsafeGet() > m_vertexAttrib0BufferSize) {
         m_context->bufferData(GraphicsContext3D::ARRAY_BUFFER, bufferDataSize.unsafeGet(), 0, GraphicsContext3D::DYNAMIC_DRAW);
         m_vertexAttrib0BufferSize = bufferDataSize.unsafeGet();
         m_forceAttrib0BufferRefill = true;
     }
+
+    auto& attribValue = m_vertexAttribValue[0];
+
     if (usingVertexAttrib0
         && (m_forceAttrib0BufferRefill
             || attribValue.value[0] != m_vertexAttrib0BufferValue[0]
             || attribValue.value[1] != m_vertexAttrib0BufferValue[1]
             || attribValue.value[2] != m_vertexAttrib0BufferValue[2]
             || attribValue.value[3] != m_vertexAttrib0BufferValue[3])) {
-        auto bufferData = std::make_unique<GC3Dfloat[]>((numVertex + 1) * 4);
+
+        auto bufferData = std::make_unique<GC3Dfloat[]>(bufferSize.unsafeGet());
         for (GC3Dsizei ii = 0; ii < numVertex + 1; ++ii) {
             bufferData[ii * 4] = attribValue.value[0];
             bufferData[ii * 4 + 1] = attribValue.value[1];

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to