source: trunk/WebCore/html/canvas/WebGLByteArray.cpp @ 57559

Revision 57559, 3.0 KB checked in by eric@webkit.org, 4 years ago (diff)

2010-04-13 Zhenyao Mo <zmo@google.com>

Reviewed by Oliver Hunt.

Fix a potential integer overflow in WebGL*Array::slice()
https://bugs.webkit.org/show_bug.cgi?id=37466

  • fast/canvas/webgl/array-unit-tests-expected.txt: Add tests that would cause overflow without this fix, but work fine with this fix.
  • fast/canvas/webgl/array-unit-tests.html: Ditto.

2010-04-13 Zhenyao Mo <zmo@google.com>

Reviewed by Oliver Hunt.

Fix a potential integer overflow in WebGL*Array::slice()
https://bugs.webkit.org/show_bug.cgi?id=37466

  • html/canvas/WebGLArray.h: (WebCore::WebGLArray::clampOffsetAndNumElements): Input parameter "offset"'s semantic changed from in bytes from buffer to in elements from array view; calculate offset in bytes from buffer inside the function, avoiding overflow.
  • html/canvas/WebGLByteArray.cpp: (WebCore::WebGLByteArray::slice): Changed according to new semantic of WebCore::WebGLArray::clampOffsetAndNumElements.
  • html/canvas/WebGLFloatArray.cpp: (WebCore::WebGLFloatArray::slice): Ditto.
  • html/canvas/WebGLIntArray.cpp: (WebCore::WebGLIntArray::slice): Ditto.
  • html/canvas/WebGLShortArray.cpp: (WebCore::WebGLShortArray::slice): Ditto.
  • html/canvas/WebGLUnsignedByteArray.cpp: (WebCore::WebGLUnsignedByteArray::slice): Ditto.
  • html/canvas/WebGLUnsignedIntArray.cpp: (WebCore::WebGLUnsignedIntArray::slice): Ditto.
  • html/canvas/WebGLUnsignedShortArray.cpp: (WebCore::WebGLUnsignedShortArray::slice): Ditto.
  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/plain
Line 
1/*
2 * Copyright (C) 2009 Apple Inc. All rights reserved.
3 * Copyright (C) 2009 Google Inc. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY
15 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE COMPUTER, INC. OR
18 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
19 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
20 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
21 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
22 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include "config.h"
28
29#if ENABLE(3D_CANVAS)
30
31#include "WebGLArrayBuffer.h"
32#include "WebGLByteArray.h"
33
34namespace WebCore {
35
36PassRefPtr<WebGLByteArray> WebGLByteArray::create(unsigned length)
37{
38    RefPtr<WebGLArrayBuffer> buffer = WebGLArrayBuffer::create(length, sizeof(signed char));
39    return create(buffer, 0, length);
40}
41
42PassRefPtr<WebGLByteArray> WebGLByteArray::create(signed char* array, unsigned length)
43{
44    RefPtr<WebGLByteArray> a = WebGLByteArray::create(length);
45    for (unsigned i = 0; i < length; ++i)
46        a->set(i, array[i]);
47    return a;
48}
49
50PassRefPtr<WebGLByteArray> WebGLByteArray::create(PassRefPtr<WebGLArrayBuffer> buffer, unsigned byteOffset, unsigned length)
51{
52    RefPtr<WebGLArrayBuffer> buf(buffer);
53    if (!verifySubRange<signed char>(buf, byteOffset, length))
54        return 0;
55
56    return adoptRef(new WebGLByteArray(buf, byteOffset, length));
57}
58
59WebGLByteArray::WebGLByteArray(PassRefPtr<WebGLArrayBuffer> buffer, unsigned offset, unsigned length)
60    : WebGLArray(buffer, offset)
61    , m_size(length)
62{
63}
64
65unsigned WebGLByteArray::length() const {
66    return m_size;
67}
68
69unsigned WebGLByteArray::byteLength() const {
70    return m_size * sizeof(signed char);
71}
72
73PassRefPtr<WebGLArray> WebGLByteArray::slice(int start, int end)
74{
75    unsigned offset, length;
76    calculateOffsetAndLength(start, end, m_size, &offset, &length);
77    clampOffsetAndNumElements<signed char>(buffer().get(), m_byteOffset, &offset, &length);
78    return create(buffer(), offset, length);
79}
80
81void WebGLByteArray::set(WebGLByteArray* array, unsigned offset, ExceptionCode& ec) {
82    setImpl(array, offset * sizeof(signed char), ec);
83}
84
85}
86
87#endif // ENABLE(3D_CANVAS)
Note: See TracBrowser for help on using the repository browser.