[webkit-changes] [186614] branches/safari-600.8-branch/Source/WebCore

Thu, 09 Jul 2015 14:02:31 -0700

Title: [186614] branches/safari-600.8-branch/Source/WebCore
Revision
186614
Author
matthew_han...@apple.com
Date
2015-07-09 14:02:02 -0700 (Thu, 09 Jul 2015)

Log Message

Merge r186506. rdar://problem/21707927


Modified Paths

Diff

Modified: branches/safari-600.8-branch/Source/WebCore/ChangeLog (186613 => 186614)


--- branches/safari-600.8-branch/Source/WebCore/ChangeLog	2015-07-09 21:01:59 UTC (rev 186613)
+++ branches/safari-600.8-branch/Source/WebCore/ChangeLog	2015-07-09 21:02:02 UTC (rev 186614)
@@ -1,5 +1,30 @@
 2015-07-09  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r186506. rdar://problem/21707927
+
+    2015-07-08  Matthew Hanson  <matthew_han...@apple.com>
+
+            Merge r186380. rdar://problem/21708281
+
+        2015-07-06  Dean Jackson  <d...@apple.com>
+
+                Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
+                https://bugs.webkit.org/show_bug.cgi?id=146652
+                <rdar://problem/21567767>
+
+                Reviewed by Brent Fulgham.
+
+                The _expression_ "(numVertex + 1) * 4 * sizeof(GC3Dfloat)" could potentially
+                overflow. Make it use checked arithmetic.
+
+                I couldn't make a test case that reliably exercised this.
+
+                * html/canvas/WebGLRenderingContextBase.cpp:
+                (WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): Used Checked<GC3Dsizeiptr>
+                for calculating the size of the buffer.
+
+2015-07-09  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r186505. rdar://problem/21707923
 
     2015-07-08  Matthew Hanson  <matthew_han...@apple.com>

Modified: branches/safari-600.8-branch/Source/WebCore/html/canvas/WebGLRenderingContext.cpp (186613 => 186614)


--- branches/safari-600.8-branch/Source/WebCore/html/canvas/WebGLRenderingContext.cpp	2015-07-09 21:01:59 UTC (rev 186613)
+++ branches/safari-600.8-branch/Source/WebCore/html/canvas/WebGLRenderingContext.cpp	2015-07-09 21:02:02 UTC (rev 186614)
@@ -20,7 +20,7 @@
  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "config.h"
@@ -85,6 +85,7 @@
 #include <runtime/JSCInlines.h>
 #include <runtime/TypedArrayInlines.h>
 #include <runtime/Uint32Array.h>
+#include <wtf/CheckedArithmetic.h>
 #include <wtf/StdLibExtras.h>
 #include <wtf/text/CString.h>
 #include <wtf/text/StringBuilder.h>
@@ -541,7 +542,7 @@
     m_stencilFuncMaskBack = 0xFFFFFFFF;
     m_layerCleared = false;
     m_numGLErrorsToConsoleAllowed = maxGLErrorsAllowedToConsole;
-    
+
     m_clearColor[0] = m_clearColor[1] = m_clearColor[2] = m_clearColor[3] = 0;
     m_scissorEnabled = false;
     m_clearDepth = 1;
@@ -556,7 +557,7 @@
     GC3Dint numVertexAttribs = 0;
     m_context->getIntegerv(GraphicsContext3D::MAX_VERTEX_ATTRIBS, &numVertexAttribs);
     m_maxVertexAttribs = numVertexAttribs;
-    
+
     m_maxTextureSize = 0;
     m_context->getIntegerv(GraphicsContext3D::MAX_TEXTURE_SIZE, &m_maxTextureSize);
     m_maxTextureLevel = WebGLTexture::computeLevelCount(m_maxTextureSize, m_maxTextureSize);
@@ -577,7 +578,7 @@
     m_defaultVertexArrayObject = WebGLVertexArrayObjectOES::create(this, WebGLVertexArrayObjectOES::VaoTypeDefault);
     addContextObject(m_defaultVertexArrayObject.get());
     m_boundVertexArrayObject = m_defaultVertexArrayObject;
-    
+
     m_vertexAttribValue.resize(m_maxVertexAttribs);
 
     if (!isGLES2NPOTStrict())
@@ -1771,7 +1772,7 @@
 bool WebGLRenderingContext::validateElementArraySize(GC3Dsizei count, GC3Denum type, GC3Dintptr offset)
 {
     RefPtr<WebGLBuffer> elementArrayBuffer = m_boundVertexArrayObject->getElementArrayBuffer();
-    
+
     if (!elementArrayBuffer)
         return false;
 
@@ -1815,7 +1816,7 @@
     // array buffers have enough elements to satisfy that maximum
     // index, skips the expensive per-draw-call iteration in
     // validateIndexArrayPrecise.
-    
+
     RefPtr<WebGLBuffer> elementArrayBuffer = m_boundVertexArrayObject->getElementArrayBuffer();
 
     if (!elementArrayBuffer)
@@ -1874,7 +1875,7 @@
 {
     ASSERT(count >= 0 && offset >= 0);
     unsigned lastIndex = 0;
-    
+
     RefPtr<WebGLBuffer> elementArrayBuffer = m_boundVertexArrayObject->getElementArrayBuffer();
 
     if (!elementArrayBuffer)
@@ -4129,7 +4130,7 @@
 {
     ec = 0;
     Vector<uint8_t> data;
-    GraphicsContext3D::ImageExtractor imageExtractor(image, domSource, premultiplyAlpha, m_unpackColorspaceConversion == GraphicsContext3D::NONE);  
+    GraphicsContext3D::ImageExtractor imageExtractor(image, domSource, premultiplyAlpha, m_unpackColorspaceConversion == GraphicsContext3D::NONE);
     if (!imageExtractor.extractSucceeded()) {
         synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "texSubImage2D", "bad image");
         return;
@@ -5877,7 +5878,7 @@
 void WebGLRenderingContext::initVertexAttrib0()
 {
     WebGLVertexArrayObjectOES::VertexAttribState& state = m_boundVertexArrayObject->getVertexAttribState(0);
-    
+
     m_vertexAttrib0Buffer = createBuffer();
     m_context->bindBuffer(GraphicsContext3D::ARRAY_BUFFER, m_vertexAttrib0Buffer->object());
     m_context->bufferData(GraphicsContext3D::ARRAY_BUFFER, 0, GraphicsContext3D::DYNAMIC_DRAW);
@@ -5909,10 +5910,12 @@
         return false;
     m_vertexAttrib0UsedBefore = true;
     m_context->bindBuffer(GraphicsContext3D::ARRAY_BUFFER, m_vertexAttrib0Buffer->object());
-    GC3Dsizeiptr bufferDataSize = (numVertex + 1) * 4 * sizeof(GC3Dfloat);
-    if (bufferDataSize > m_vertexAttrib0BufferSize) {
-        m_context->bufferData(GraphicsContext3D::ARRAY_BUFFER, bufferDataSize, 0, GraphicsContext3D::DYNAMIC_DRAW);
-        m_vertexAttrib0BufferSize = bufferDataSize;
+    Checked<GC3Dsizeiptr, RecordOverflow> bufferDataSize = (numVertex + 1) * 4 * sizeof(GC3Dfloat);
+    if (bufferDataSize.hasOverflowed())
+        return false;
+    if (bufferDataSize.unsafeGet() > m_vertexAttrib0BufferSize) {
+        m_context->bufferData(GraphicsContext3D::ARRAY_BUFFER, bufferDataSize.unsafeGet(), 0, GraphicsContext3D::DYNAMIC_DRAW);
+        m_vertexAttrib0BufferSize = bufferDataSize.unsafeGet();
         m_forceAttrib0BufferRefill = true;
     }
     if (usingVertexAttrib0
@@ -5933,7 +5936,7 @@
         m_vertexAttrib0BufferValue[2] = attribValue.value[2];
         m_vertexAttrib0BufferValue[3] = attribValue.value[3];
         m_forceAttrib0BufferRefill = false;
-        m_context->bufferSubData(GraphicsContext3D::ARRAY_BUFFER, 0, bufferDataSize, bufferData.get());
+        m_context->bufferSubData(GraphicsContext3D::ARRAY_BUFFER, 0, bufferDataSize.unsafeGet(), bufferData.get());
     }
     m_context->vertexAttribPointer(0, 4, GraphicsContext3D::FLOAT, 0, 0, 0);
     return true;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to