Skip to site navigation (Press enter)

[webkit-changes] [186456] releases/WebKitGTK/webkit-2.8/Source/WebCore

carlosgc Tue, 07 Jul 2015 05:31:52 -0700

Title: [186456] releases/WebKitGTK/webkit-2.8/Source/WebCore

Revision: 186456
Author: [email protected]
Date: 2015-07-07 05:30:57 -0700 (Tue, 07 Jul 2015)

Log Message

Merge r186384 - Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
https://bugs.webkit.org/show_bug.cgi?id=146652
<rdar://problem/21567767>


Follow-up fix.

* html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::simulateVertexAttrib0):

Modified Paths

releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog
releases/WebKitGTK/webkit-2.8/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (186455 => 186456)


--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog	2015-07-07 12:30:08 UTC (rev 186455)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog	2015-07-07 12:30:57 UTC (rev 186456)
@@ -4,6 +4,17 @@
         https://bugs.webkit.org/show_bug.cgi?id=146652
         <rdar://problem/21567767>
 
+        Follow-up fix.
+
+        * html/canvas/WebGLRenderingContextBase.cpp:
+        (WebCore::WebGLRenderingContextBase::simulateVertexAttrib0):
+
+2015-07-06  Dean Jackson  <[email protected]>
+
+        Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
+        https://bugs.webkit.org/show_bug.cgi?id=146652
+        <rdar://problem/21567767>
+
         Reviewed by Brent Fulgham.
 
         The _expression_ "(numVertex + 1) * 4 * sizeof(GC3Dfloat)" could potentially

Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (186455 => 186456)


--- releases/WebKitGTK/webkit-2.8/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2015-07-07 12:30:08 UTC (rev 186455)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2015-07-07 12:30:57 UTC (rev 186456)
@@ -5162,7 +5162,9 @@
         return false;
     m_vertexAttrib0UsedBefore = true;
     m_context->bindBuffer(GraphicsContext3D::ARRAY_BUFFER, m_vertexAttrib0Buffer->object());
-    Checked<GC3Dsizeiptr, RecordOverflow> bufferDataSize = (numVertex + 1) * 4 * sizeof(GC3Dfloat);
+    Checked<GC3Dsizeiptr, RecordOverflow> bufferDataSize(numVertex);
+    bufferDataSize += 1;
+    bufferDataSize *= Checked<GC3Dsizeiptr, RecordOverflow>(4 * sizeof(GC3Dfloat));
     if (bufferDataSize.hasOverflowed())
         return false;
     if (bufferDataSize.unsafeGet() > m_vertexAttrib0BufferSize) {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes