[webkit-changes] [243506] trunk

Tue, 26 Mar 2019 11:01:47 -0700

Title: [243506] trunk
Revision
243506
Author
d...@apple.com
Date
2019-03-26 11:00:55 -0700 (Tue, 26 Mar 2019)

Log Message

vertexAttribPointer must restrict offset parameter
https://bugs.webkit.org/show_bug.cgi?id=196261
<rdar://problem/48458086>

Reviewed by Antoine Quint.

Source/WebCore:

This WebGL function should fail if the offset parameter is
not within [0, max 32-bit int].

Test: fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html

* html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::vertexAttribPointer):

LayoutTests:

Add a test where the offset parameter is out of bounds.

* fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt: Added.
* fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (243505 => 243506)


--- trunk/LayoutTests/ChangeLog	2019-03-26 17:57:58 UTC (rev 243505)
+++ trunk/LayoutTests/ChangeLog	2019-03-26 18:00:55 UTC (rev 243506)
@@ -1,3 +1,16 @@
+2019-03-26  Dean Jackson  <d...@apple.com>
+
+        vertexAttribPointer must restrict offset parameter
+        https://bugs.webkit.org/show_bug.cgi?id=196261
+        <rdar://problem/48458086>
+
+        Reviewed by Antoine Quint.
+
+        Add a test where the offset parameter is out of bounds.
+
+        * fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt: Added.
+        * fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html: Added.
+
 2019-03-26  Zalan Bujtas  <za...@apple.com>
 
         [ContentChangeObserver] Skip anonymous renderers when checking for "willRespondToMouseClickEvents"

Added: trunk/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt (0 => 243506)


--- trunk/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt	2019-03-26 18:00:55 UTC (rev 243506)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 49: WebGL: INVALID_VALUE: vertexAttribPointer: bad offset
+CONSOLE MESSAGE: line 56: WebGL: INVALID_OPERATION: drawArrays: attempt to access out of bounds arrays
+PASS: vertexAttribPointer should have an error.
+
Property changes on: trunk/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt
___________________________________________________________________

Added: svn:eol-style

+native \ No newline at end of property

Added: svn:keywords

+Date Revision \ No newline at end of property

Added: svn:mime-type

+text/plain \ No newline at end of property

Added: trunk/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html (0 => 243506)


--- trunk/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html	2019-03-26 18:00:55 UTC (rev 243506)
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+<script id="vshader" type="x-shader/x-vertex">
+attribute vec4 a1;
+void main () {
+gl_Position = a1;
+}
+</script>
+
+<script id="fshader" type="x-shader/x-fragment">
+#ifdef GL_ES
+precision highp float;
+#endif
+void main() {
+gl_FragColor = vec4(1.0, 1.0, 1.0, 1.0);
+}
+</script>
+
+<body>
+<div id="results"></div>
+<canvas id="canvas"></canvas>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+const canvas = document.getElementById("canvas");
+const gl = canvas.getContext("webgl");
+
+const vShader = gl.createShader(gl.VERTEX_SHADER);
+gl.shaderSource(vShader, document.getElementById("vshader").text);
+gl.compileShader(vShader);
+
+const fShader = gl.createShader(gl.FRAGMENT_SHADER);
+gl.shaderSource(fShader, document.getElementById("fshader").text);
+gl.compileShader(fShader);
+
+const program = gl.createProgram();
+gl.attachShader(program, vShader);
+gl.attachShader(program, fShader);
+gl.linkProgram(program);
+gl.useProgram(program);
+
+const attribute = gl.getAttribLocation(program, "a1");
+gl.enableVertexAttribArray(attribute);
+
+const b1 = gl.createBuffer();
+gl.bindBuffer(gl.ARRAY_BUFFER, b1);
+
+gl.vertexAttribPointer(attribute, 1, gl.BYTE, true, 1, 0x00ffff00000000);
+document.getElementById("results").textContent = `${gl.getError() == gl.NO_ERROR ? "FAIL" : "PASS"}: vertexAttribPointer should have an error.`;
+
+const b2 = gl.createBuffer();
+gl.bindBuffer(gl.ARRAY_BUFFER, b2);
+gl.bufferData(gl.ARRAY_BUFFER, new Uint16Array(100), gl.DYNAMIC_DRAW);
+
+gl.drawArrays(gl.LINES, 100, 100);
+</script>
+</body>
+</html>
Property changes on: trunk/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html
___________________________________________________________________

Added: svn:eol-style

+native \ No newline at end of property

Added: svn:keywords

+Date Revision \ No newline at end of property

Added: svn:mime-type

+text/html \ No newline at end of property

Modified: trunk/Source/WebCore/ChangeLog (243505 => 243506)


--- trunk/Source/WebCore/ChangeLog	2019-03-26 17:57:58 UTC (rev 243505)
+++ trunk/Source/WebCore/ChangeLog	2019-03-26 18:00:55 UTC (rev 243506)
@@ -1,3 +1,19 @@
+2019-03-26  Dean Jackson  <d...@apple.com>
+
+        vertexAttribPointer must restrict offset parameter
+        https://bugs.webkit.org/show_bug.cgi?id=196261
+        <rdar://problem/48458086>
+
+        Reviewed by Antoine Quint.
+
+        This WebGL function should fail if the offset parameter is
+        not within [0, max 32-bit int].
+
+        Test: fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html
+
+        * html/canvas/WebGLRenderingContextBase.cpp:
+        (WebCore::WebGLRenderingContextBase::vertexAttribPointer):
+
 2019-03-26  Antoine Quint  <grao...@apple.com>
 
         Remove mousemoveEventHandlingPreventsDefault internal setting and quirk

Modified: trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (243505 => 243506)


--- trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2019-03-26 17:57:58 UTC (rev 243505)
+++ trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2019-03-26 18:00:55 UTC (rev 243506)
@@ -5000,10 +5000,18 @@
         synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "index out of range");
         return;
     }
-    if (size < 1 || size > 4 || stride < 0 || stride > 255 || offset < 0) {
-        synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "bad size, stride or offset");
+    if (size < 1 || size > 4) {
+        synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "bad size");
         return;
     }
+    if (stride < 0 || stride > 255) {
+        synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "bad stride");
+        return;
+    }
+    if (offset < 0 || offset > std::numeric_limits<int32_t>::max()) {
+        synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "bad offset");
+        return;
+    }
     if (!m_boundArrayBuffer) {
         synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, "vertexAttribPointer", "no bound ARRAY_BUFFER");
         return;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to