Title: [186455] releases/WebKitGTK/webkit-2.8/Source/WebCore
- Revision
- 186455
- Author
- [email protected]
- Date
- 2015-07-07 05:30:08 -0700 (Tue, 07 Jul 2015)
Log Message
Merge r186380 - Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
https://bugs.webkit.org/show_bug.cgi?id=146652
<rdar://problem/21567767>
Reviewed by Brent Fulgham.
The _expression_ "(numVertex + 1) * 4 * sizeof(GC3Dfloat)" could potentially
overflow. Make it use checked arithmetic.
I couldn't make a test case that reliably exercised this.
* html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): Used Checked<GC3Dsizeiptr>
for calculating the size of the buffer.
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (186454 => 186455)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-07-07 12:28:13 UTC (rev 186454)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-07-07 12:30:08 UTC (rev 186455)
@@ -1,3 +1,20 @@
+2015-07-06 Dean Jackson <[email protected]>
+
+ Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
+ https://bugs.webkit.org/show_bug.cgi?id=146652
+ <rdar://problem/21567767>
+
+ Reviewed by Brent Fulgham.
+
+ The _expression_ "(numVertex + 1) * 4 * sizeof(GC3Dfloat)" could potentially
+ overflow. Make it use checked arithmetic.
+
+ I couldn't make a test case that reliably exercised this.
+
+ * html/canvas/WebGLRenderingContextBase.cpp:
+ (WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): Used Checked<GC3Dsizeiptr>
+ for calculating the size of the buffer.
+
2015-07-06 Zalan Bujtas <[email protected]>
Crash: LayoutState root's container is nullptr when the layout root is detached.
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (186454 => 186455)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp 2015-07-07 12:28:13 UTC (rev 186454)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp 2015-07-07 12:30:08 UTC (rev 186455)
@@ -89,6 +89,7 @@
#include <runtime/JSCInlines.h>
#include <runtime/TypedArrayInlines.h>
#include <runtime/Uint32Array.h>
+#include <wtf/CheckedArithmetic.h>
#include <wtf/StdLibExtras.h>
#include <wtf/text/CString.h>
#include <wtf/text/StringBuilder.h>
@@ -5161,10 +5162,12 @@
return false;
m_vertexAttrib0UsedBefore = true;
m_context->bindBuffer(GraphicsContext3D::ARRAY_BUFFER, m_vertexAttrib0Buffer->object());
- GC3Dsizeiptr bufferDataSize = (numVertex + 1) * 4 * sizeof(GC3Dfloat);
- if (bufferDataSize > m_vertexAttrib0BufferSize) {
- m_context->bufferData(GraphicsContext3D::ARRAY_BUFFER, bufferDataSize, 0, GraphicsContext3D::DYNAMIC_DRAW);
- m_vertexAttrib0BufferSize = bufferDataSize;
+ Checked<GC3Dsizeiptr, RecordOverflow> bufferDataSize = (numVertex + 1) * 4 * sizeof(GC3Dfloat);
+ if (bufferDataSize.hasOverflowed())
+ return false;
+ if (bufferDataSize.unsafeGet() > m_vertexAttrib0BufferSize) {
+ m_context->bufferData(GraphicsContext3D::ARRAY_BUFFER, bufferDataSize.unsafeGet(), 0, GraphicsContext3D::DYNAMIC_DRAW);
+ m_vertexAttrib0BufferSize = bufferDataSize.unsafeGet();
m_forceAttrib0BufferRefill = true;
}
if (usingVertexAttrib0
@@ -5185,7 +5188,7 @@
m_vertexAttrib0BufferValue[2] = attribValue.value[2];
m_vertexAttrib0BufferValue[3] = attribValue.value[3];
m_forceAttrib0BufferRefill = false;
- m_context->bufferSubData(GraphicsContext3D::ARRAY_BUFFER, 0, bufferDataSize, bufferData.get());
+ m_context->bufferSubData(GraphicsContext3D::ARRAY_BUFFER, 0, bufferDataSize.unsafeGet(), bufferData.get());
}
m_context->vertexAttribPointer(0, 4, GraphicsContext3D::FLOAT, 0, 0, 0);
return true;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
