Changeset 270160 in webkit
- Timestamp:
- Nov 22, 2020 12:30:16 AM (20 months ago)
- Location:
- trunk
- Files:
-
- 2 added
- 3 edited
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/fast/canvas/webgl/getIndexedParameter-crash-expected.txt (added)
-
LayoutTests/fast/canvas/webgl/getIndexedParameter-crash.html (added)
-
Source/WebCore/ChangeLog (modified) (1 diff)
-
Source/WebCore/html/canvas/WebGLTransformFeedback.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r270158 r270160 1 2020-11-22 Rob Buis <rbuis@igalia.com> 2 3 Fix getIndexedParameter indexing crash 4 https://bugs.webkit.org/show_bug.cgi?id=218601 5 6 Reviewed by Ryosuke Niwa. 7 8 Add testcase. 9 10 * fast/canvas/webgl/getIndexedParameter-crash-expected.txt: Added. 11 * fast/canvas/webgl/getIndexedParameter-crash.html: Added. 12 1 13 2020-11-21 Sihui Liu <sihui_liu@apple.com> 2 14 -
trunk/Source/WebCore/ChangeLog
r270159 r270160 1 2020-11-22 Rob Buis <rbuis@igalia.com> 2 3 Fix getIndexedParameter indexing crash 4 https://bugs.webkit.org/show_bug.cgi?id=218601 5 6 Reviewed by Ryosuke Niwa. 7 8 Like in setBoundIndexedTransformFeedbackBuffer ASSERT, the index should 9 always be smaller than size for indexing to be safe, so bail if the index 10 is greater than or equal to size. 11 12 * html/canvas/WebGLTransformFeedback.cpp: 13 (WebCore::WebGLTransformFeedback::getBoundIndexedTransformFeedbackBuffer): 14 1 15 2020-11-21 Ada Chan <adachan@apple.com> 2 16 -
trunk/Source/WebCore/html/canvas/WebGLTransformFeedback.cpp
r269850 r270160 77 77 bool WebGLTransformFeedback::getBoundIndexedTransformFeedbackBuffer(GCGLuint index, WebGLBuffer** outBuffer) 78 78 { 79 if (index > m_boundIndexedTransformFeedbackBuffers.size())79 if (index >= m_boundIndexedTransformFeedbackBuffers.size()) 80 80 return false; 81 81 *outBuffer = m_boundIndexedTransformFeedbackBuffers[index].get();
Note: See TracChangeset
for help on using the changeset viewer.
