Changeset 53026 in webkit

Timestamp:

Jan 8, 2010 5:02:53 PM (14 years ago)

Author:

eric@webkit.org

Message:

2010-01-08 Kenneth Russell <​kbr@google.com>

Reviewed by Dimitri Glazkov.

Passing array that is too large to set method of WebGLArrays does not throw an exception
​https://bugs.webkit.org/show_bug.cgi?id=33352

Added needed range checks to JSC and V8 custom bindings. Expanded
preexisting test suite for WebGLArrays and updated its expected
results. Tested in WebKit and Chromium.

• fast/canvas/webgl/array-set-out-of-bounds-expected.txt: Added.
• fast/canvas/webgl/array-set-out-of-bounds.html: Added.
• fast/canvas/webgl/array-unit-tests-expected.txt:
• fast/canvas/webgl/array-unit-tests.html:

2010-01-08 Kenneth Russell <​kbr@google.com>

Reviewed by Dimitri Glazkov.

Passing array that is too large to set method of WebGLArrays does not throw an exception
​https://bugs.webkit.org/show_bug.cgi?id=33352

Added needed range checks to JSC and V8 custom bindings. Expanded
preexisting test suite for WebGLArrays and updated its expected
results. Tested in WebKit and Chromium.

Test: fast/canvas/webgl/array-set-out-of-bounds.html

• bindings/js/JSWebGLArrayHelper.h: (WebCore::setWebGLArrayFromArray):
• bindings/v8/custom/V8WebGLArrayCustom.h: (WebCore::setWebGLArrayFromArray):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/canvas/webgl/array-set-out-of-bounds-expected.txt (added)
• LayoutTests/fast/canvas/webgl/array-set-out-of-bounds.html (added)
• LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt (modified) (7 diffs)
• LayoutTests/fast/canvas/webgl/array-unit-tests.html (modified) (3 diffs)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSWebGLArrayHelper.h (modified) (2 diffs)
• WebCore/bindings/v8/custom/V8WebGLArrayCustom.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-01-08  Kenneth Russell  <kbr@google.com>
+
+        Reviewed by Dimitri Glazkov.
+
+        Passing array that is too large to set method of WebGLArrays does not throw an exception
+        https://bugs.webkit.org/show_bug.cgi?id=33352
+
+        Added needed range checks to JSC and V8 custom bindings. Expanded
+        preexisting test suite for WebGLArrays and updated its expected
+        results. Tested in WebKit and Chromium.
+
+        * fast/canvas/webgl/array-set-out-of-bounds-expected.txt: Added.
+        * fast/canvas/webgl/array-set-out-of-bounds.html: Added.
+        * fast/canvas/webgl/array-unit-tests-expected.txt:
+        * fast/canvas/webgl/array-unit-tests.html:
+
 2010-01-08  Eric Seidel  <eric@webkit.org>
 

trunk/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt

@@ -11 +11 @@
 PASS negativeTest WebGLByteArray SetFromWebGLArray
 PASS test WebGLByteArray SetFromArray
+PASS negativeTest WebGLByteArray SetFromArray
 PASS test WebGLByteArray Slice
 PASS negativeTest WebGLByteArray Slice
@@ -22 +23 @@
 PASS negativeTest WebGLFloatArray SetFromWebGLArray
 PASS test WebGLFloatArray SetFromArray
+PASS negativeTest WebGLFloatArray SetFromArray
 PASS test WebGLFloatArray Slice
 PASS negativeTest WebGLFloatArray Slice
@@ -33 +35 @@
 PASS negativeTest WebGLIntArray SetFromWebGLArray
 PASS test WebGLIntArray SetFromArray
+PASS negativeTest WebGLIntArray SetFromArray
 PASS test WebGLIntArray Slice
 PASS negativeTest WebGLIntArray Slice
@@ -44 +47 @@
 PASS negativeTest WebGLShortArray SetFromWebGLArray
 PASS test WebGLShortArray SetFromArray
+PASS negativeTest WebGLShortArray SetFromArray
 PASS test WebGLShortArray Slice
 PASS negativeTest WebGLShortArray Slice
@@ -55 +59 @@
 PASS negativeTest WebGLUnsignedByteArray SetFromWebGLArray
 PASS test WebGLUnsignedByteArray SetFromArray
+PASS negativeTest WebGLUnsignedByteArray SetFromArray
 PASS test WebGLUnsignedByteArray Slice
 PASS negativeTest WebGLUnsignedByteArray Slice
@@ -66 +71 @@
 PASS negativeTest WebGLUnsignedIntArray SetFromWebGLArray
 PASS test WebGLUnsignedIntArray SetFromArray
+PASS negativeTest WebGLUnsignedIntArray SetFromArray
 PASS test WebGLUnsignedIntArray Slice
 PASS negativeTest WebGLUnsignedIntArray Slice
@@ -77 +83 @@
 PASS negativeTest WebGLUnsignedShortArray SetFromWebGLArray
 PASS test WebGLUnsignedShortArray SetFromArray
+PASS negativeTest WebGLUnsignedShortArray SetFromArray
 PASS test WebGLUnsignedShortArray Slice
 PASS negativeTest WebGLUnsignedShortArray Slice

trunk/LayoutTests/fast/canvas/webgl/array-unit-tests.html

@@ -33 +33 @@
     exc = currentlyRunning + ': ' + str;
   else
-    exc = str;
+    exc = currentlyRunning;
   testFailed(exc);
 }
@@ -278 +278 @@
     for (var i = 0; i < array2.length; i++) {
       assertEq('Element ' + i, 10 - i, array[i]);
+    }
+    pass();
+  } catch (e) {
+    fail(e);
+  }
+}
+
+function negativeTestSetFromArray(type, name) {
+  running('negativeTest ' + name + ' SetFromArray');
+  try {
+    var array = new type([2, 3]);
+    try {
+      array.set([4, 5], 1);
+      fail();
+      return;
+    } catch (e) {
+    }
+    try {
+      array.set([4, 5, 6]);
+      fail();
+      return;
+    } catch (e) {
     }
     pass();
@@ -431 +453 @@
     negativeTestSetFromWebGLArray(type, name);
     testSetFromArray(type, name);
+    negativeTestSetFromArray(type, name);
     testSlice(type, name);
     negativeTestSlice(type, name);

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-01-08  Kenneth Russell  <kbr@google.com>
+
+        Reviewed by Dimitri Glazkov.
+
+        Passing array that is too large to set method of WebGLArrays does not throw an exception
+        https://bugs.webkit.org/show_bug.cgi?id=33352
+
+        Added needed range checks to JSC and V8 custom bindings. Expanded
+        preexisting test suite for WebGLArrays and updated its expected
+        results. Tested in WebKit and Chromium.
+
+        Test: fast/canvas/webgl/array-set-out-of-bounds.html
+
+        * bindings/js/JSWebGLArrayHelper.h:
+        (WebCore::setWebGLArrayFromArray):
+        * bindings/v8/custom/V8WebGLArrayCustom.h:
+        (WebCore::setWebGLArrayFromArray):
+
 2010-01-08  Alexey Proskuryakov  <ap@apple.com>
 

trunk/WebCore/bindings/js/JSWebGLArrayHelper.h

@@ -28 +28 @@
 #define JSWebGLArrayHelper_h
 
+#include "ExceptionCode.h"
+#include "JSDOMBinding.h"
 #include <interpreter/CallFrame.h>
 #include <runtime/ArgList.h>
@@ -46 +48 @@
             offset = args.at(1).toInt32(exec);
         int length = array->get(exec, JSC::Identifier(exec, "length")).toInt32(exec);
-        for (int i = 0; i < length; i++) {
-            JSC::JSValue v = array->get(exec, i);
-            if (exec->hadException())
-                return JSC::jsUndefined();
-            webGLArray->set(i + offset, v.toNumber(exec));
+        if (offset + length > webGLArray->length())
+            setDOMException(exec, INDEX_SIZE_ERR);
+        else {
+            for (int i = 0; i < length; i++) {
+                JSC::JSValue v = array->get(exec, i);
+                if (exec->hadException())
+                    return JSC::jsUndefined();
+                webGLArray->set(i + offset, v.toNumber(exec));
+            }
         }
 

trunk/WebCore/bindings/v8/custom/V8WebGLArrayCustom.h

@@ -175 +175 @@
             offset = toInt32(args[1]);
         uint32_t length = toInt32(array->Get(v8::String::New("length")));
-        for (uint32_t i = 0; i < length; i++) {
-            webGLArray->set(offset + i, array->Get(v8::Integer::New(i))->NumberValue());
-        }
+        if (offset + length > webGLArray->length())
+            V8Proxy::setDOMException(INDEX_SIZE_ERR);
+        else
+            for (uint32_t i = 0; i < length; i++)
+                webGLArray->set(offset + i, array->Get(v8::Integer::New(i))->NumberValue());
     }