Changeset 139923 in webkit
- Timestamp:
- Jan 16, 2013 2:05:46 PM (11 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 3 edited
-
ChangeLog (modified) (1 diff)
-
html/canvas/WebGLBuffer.cpp (modified) (8 diffs)
-
html/canvas/WebGLBuffer.h (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r139922 r139923 1 2013-01-16 Kenneth Russell <kbr@google.com> 2 3 Unreviewed, rolling out r139914. 4 http://trac.webkit.org/changeset/139914 5 https://bugs.webkit.org/show_bug.cgi?id=106975 6 7 Caused crashes in compositing/visibility/visibility-simple- 8 webgl-layer.html 9 10 * html/canvas/WebGLBuffer.cpp: 11 (WebCore::WebGLBuffer::associateBufferDataImpl): 12 (WebCore::WebGLBuffer::associateBufferData): 13 (WebCore::WebGLBuffer::associateBufferSubDataImpl): 14 (WebCore::WebGLBuffer::associateBufferSubData): 15 * html/canvas/WebGLBuffer.h: 16 (WebGLBuffer): 17 1 18 2013-01-16 Alexis Menard <alexis@webkit.org> 2 19 -
trunk/Source/WebCore/html/canvas/WebGLBuffer.cpp
r139914 r139923 62 62 } 63 63 64 bool WebGLBuffer::associateBufferDataImpl(const void* data, GC3Dsizeiptr byteLength) 65 { 66 if (byteLength < 0) 67 return false; 64 bool WebGLBuffer::associateBufferDataImpl(ArrayBuffer* array, GC3Dintptr byteOffset, GC3Dsizeiptr byteLength) 65 { 66 if (byteLength < 0 || byteOffset < 0) 67 return false; 68 69 if (array && byteLength) { 70 CheckedInt<GC3Dintptr> checkedOffset(byteOffset); 71 CheckedInt<GC3Dsizeiptr> checkedLength(byteLength); 72 CheckedInt<GC3Dintptr> checkedMax = checkedOffset + checkedLength; 73 if (!checkedMax.isValid() || checkedMax.value() > static_cast<int32_t>(array->byteLength())) 74 return false; 75 } 68 76 69 77 switch (m_target) { … … 77 85 return false; 78 86 } 79 if ( data) {87 if (array) { 80 88 // We must always clone the incoming data because client-side 81 89 // modifications without calling bufferData or bufferSubData 82 90 // must never be able to change the validation results. 83 memcpy(m_elementArrayBuffer->data(), data, byteLength); 91 memcpy(static_cast<unsigned char*>(m_elementArrayBuffer->data()), 92 static_cast<unsigned char*>(array->data()) + byteOffset, 93 byteLength); 84 94 } 85 95 } else … … 96 106 bool WebGLBuffer::associateBufferData(GC3Dsizeiptr size) 97 107 { 98 return associateBufferDataImpl(0, size); 108 if (size < 0) 109 return false; 110 return associateBufferDataImpl(0, 0, size); 99 111 } 100 112 … … 103 115 if (!array) 104 116 return false; 105 return associateBufferDataImpl(array ? array->data() : 0, array ? array->byteLength() : 0);117 return associateBufferDataImpl(array, 0, array->byteLength()); 106 118 } 107 119 … … 110 122 if (!array) 111 123 return false; 112 return associateBufferDataImpl(array ? array->baseAddress() : 0, array ? array->byteLength() : 0);113 } 114 115 bool WebGLBuffer::associateBufferSubDataImpl(GC3Dintptr offset, const void* data, GC3Dsizeiptr byteLength)116 { 117 if (! data || offset < 0 || byteLength < 0)124 return associateBufferDataImpl(array->buffer().get(), array->byteOffset(), array->byteLength()); 125 } 126 127 bool WebGLBuffer::associateBufferSubDataImpl(GC3Dintptr offset, ArrayBuffer* array, GC3Dintptr arrayByteOffset, GC3Dsizeiptr byteLength) 128 { 129 if (!array || offset < 0 || arrayByteOffset < 0 || byteLength < 0) 118 130 return false; 119 131 120 132 if (byteLength) { 121 133 CheckedInt<GC3Dintptr> checkedBufferOffset(offset); 122 CheckedInt<GC3Dsizeiptr> checkedDataLength(byteLength); 123 CheckedInt<GC3Dintptr> checkedBufferMax = checkedBufferOffset + checkedDataLength; 124 if (!checkedBufferMax.isValid() || offset > m_byteLength || checkedBufferMax.value() > m_byteLength) 134 CheckedInt<GC3Dintptr> checkedArrayOffset(arrayByteOffset); 135 CheckedInt<GC3Dsizeiptr> checkedLength(byteLength); 136 CheckedInt<GC3Dintptr> checkedArrayMax = checkedArrayOffset + checkedLength; 137 CheckedInt<GC3Dintptr> checkedBufferMax = checkedBufferOffset + checkedLength; 138 if (!checkedArrayMax.isValid() || checkedArrayMax.value() > static_cast<int32_t>(array->byteLength()) || !checkedBufferMax.isValid() || checkedBufferMax.value() > m_byteLength) 125 139 return false; 126 140 } … … 132 146 if (!m_elementArrayBuffer) 133 147 return false; 134 memcpy(static_cast<unsigned char*>(m_elementArrayBuffer->data()) + offset, data, byteLength); 148 memcpy(static_cast<unsigned char*>(m_elementArrayBuffer->data()) + offset, 149 static_cast<unsigned char*>(array->data()) + arrayByteOffset, 150 byteLength); 135 151 } 136 152 return true; … … 146 162 if (!array) 147 163 return false; 148 return associateBufferSubDataImpl(offset, array ->data(), array->byteLength());164 return associateBufferSubDataImpl(offset, array, 0, array->byteLength()); 149 165 } 150 166 … … 153 169 if (!array) 154 170 return false; 155 return associateBufferSubDataImpl(offset, array->b aseAddress(), array->byteLength());171 return associateBufferSubDataImpl(offset, array->buffer().get(), array->byteOffset(), array->byteLength()); 156 172 } 157 173 -
trunk/Source/WebCore/html/canvas/WebGLBuffer.h
r139914 r139923 96 96 97 97 // Helper function called by the three associateBufferData(). 98 bool associateBufferDataImpl( const void* data, GC3Dsizeiptr byteLength);98 bool associateBufferDataImpl(ArrayBuffer* array, GC3Dintptr byteOffset, GC3Dsizeiptr byteLength); 99 99 // Helper function called by the two associateBufferSubData(). 100 bool associateBufferSubDataImpl(GC3Dintptr offset, const void* data, GC3Dsizeiptr byteLength);100 bool associateBufferSubDataImpl(GC3Dintptr offset, ArrayBuffer* array, GC3Dintptr arrayByteOffset, GC3Dsizeiptr byteLength); 101 101 }; 102 102
Note: See TracChangeset
for help on using the changeset viewer.
