Changeset 57559 in webkit

Timestamp:

Apr 13, 2010 10:29:23 PM (14 years ago)

Author:

eric@webkit.org

Message:

2010-04-13 Zhenyao Mo <​zmo@google.com>

Reviewed by Oliver Hunt.

Fix a potential integer overflow in WebGL*Array::slice()
​https://bugs.webkit.org/show_bug.cgi?id=37466

• fast/canvas/webgl/array-unit-tests-expected.txt: Add tests that would cause overflow without this fix, but work fine with this fix.
• fast/canvas/webgl/array-unit-tests.html: Ditto.

2010-04-13 Zhenyao Mo <​zmo@google.com>

Reviewed by Oliver Hunt.

Fix a potential integer overflow in WebGL*Array::slice()
​https://bugs.webkit.org/show_bug.cgi?id=37466

• html/canvas/WebGLArray.h: (WebCore::WebGLArray::clampOffsetAndNumElements): Input parameter "offset"'s semantic changed from in bytes from buffer to in elements from array view; calculate offset in bytes from buffer inside the function, avoiding overflow.
• html/canvas/WebGLByteArray.cpp: (WebCore::WebGLByteArray::slice): Changed according to new semantic of WebCore::WebGLArray::clampOffsetAndNumElements.
• html/canvas/WebGLFloatArray.cpp: (WebCore::WebGLFloatArray::slice): Ditto.
• html/canvas/WebGLIntArray.cpp: (WebCore::WebGLIntArray::slice): Ditto.
• html/canvas/WebGLShortArray.cpp: (WebCore::WebGLShortArray::slice): Ditto.
• html/canvas/WebGLUnsignedByteArray.cpp: (WebCore::WebGLUnsignedByteArray::slice): Ditto.
• html/canvas/WebGLUnsignedIntArray.cpp: (WebCore::WebGLUnsignedIntArray::slice): Ditto.
• html/canvas/WebGLUnsignedShortArray.cpp: (WebCore::WebGLUnsignedShortArray::slice): Ditto.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt (modified) (5 diffs)
• LayoutTests/fast/canvas/webgl/array-unit-tests.html (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/html/canvas/WebGLArray.h (modified) (1 diff)
• WebCore/html/canvas/WebGLByteArray.cpp (modified) (1 diff)
• WebCore/html/canvas/WebGLFloatArray.cpp (modified) (1 diff)
• WebCore/html/canvas/WebGLIntArray.cpp (modified) (1 diff)
• WebCore/html/canvas/WebGLShortArray.cpp (modified) (1 diff)
• WebCore/html/canvas/WebGLUnsignedByteArray.cpp (modified) (1 diff)
• WebCore/html/canvas/WebGLUnsignedIntArray.cpp (modified) (1 diff)
• WebCore/html/canvas/WebGLUnsignedShortArray.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-04-13  Zhenyao Mo  <zmo@google.com>
+
+        Reviewed by Oliver Hunt.
+
+        Fix a potential integer overflow in WebGL*Array::slice()
+        https://bugs.webkit.org/show_bug.cgi?id=37466
+
+        * fast/canvas/webgl/array-unit-tests-expected.txt: Add tests that would cause overflow without this fix, but work fine with this fix.
+        * fast/canvas/webgl/array-unit-tests.html: Ditto.
+
 2010-04-13  Darin Fisher  <darin@chromium.org>
 

trunk/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt

@@ -51 +51 @@
 PASS array.slice(4, 0x3FFFFFFF).length is (32 / typeSize) - 4
 PASS array.slice(4, -2147483648).length is 0
+PASS array.length is 0
 Testing slicing with default inputs of WebGLFloatArray
 PASS array.length is 32 / typeSize
@@ -80 +81 @@
 PASS array.slice(4, 0x3FFFFFFF).length is (32 / typeSize) - 4
 PASS array.slice(4, -2147483648).length is 0
+PASS array.length is 0
 Testing slicing with default inputs of WebGLIntArray
 PASS array.length is 32 / typeSize
@@ -109 +111 @@
 PASS array.slice(4, 0x3FFFFFFF).length is (32 / typeSize) - 4
 PASS array.slice(4, -2147483648).length is 0
+PASS array.length is 0
 Testing slicing with default inputs of WebGLShortArray
 PASS array.length is 32 / typeSize
@@ -166 +169 @@
 PASS array.slice(4, 0x3FFFFFFF).length is (32 / typeSize) - 4
 PASS array.slice(4, -2147483648).length is 0
+PASS array.length is 0
 Testing slicing with default inputs of WebGLUnsignedIntArray
 PASS array.length is 32 / typeSize
@@ -195 +199 @@
 PASS array.slice(4, 0x3FFFFFFF).length is (32 / typeSize) - 4
 PASS array.slice(4, -2147483648).length is 0
+PASS array.length is 0
 Testing slicing with default inputs of WebGLUnsignedShortArray
 PASS array.length is 32 / typeSize

trunk/LayoutTests/fast/canvas/webgl/array-unit-tests.html

@@ -429 +429 @@
             shouldBe("array.slice(4, 0x3FFFFFFF).length", "(32 / typeSize) - 4");
             shouldBe("array.slice(4, -2147483648).length", "0");
+            // Test slice() against overflows.
+            array = array.slice(2);
+            if (sz > 1) {
+                // Full byte offset is +1 larger than the maximum unsigned long int.
+                // Make sure slice() still handles it correctly.  Otherwise overflow would happen and
+                // offset would be 0, and array.length array.length would incorrectly be 1.
+                var start = 4294967296 / sz - 2;
+                array = array.slice(start, start + 1);
+                shouldBe("array.length", "0");
+            }
         } catch (e) {
             testFailed("Slicing of " + name + " threw exception");

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-04-13  Zhenyao Mo  <zmo@google.com>
+
+        Reviewed by Oliver Hunt.
+
+        Fix a potential integer overflow in WebGL*Array::slice()
+        https://bugs.webkit.org/show_bug.cgi?id=37466
+
+        * html/canvas/WebGLArray.h:
+        (WebCore::WebGLArray::clampOffsetAndNumElements): Input parameter "offset"'s semantic changed from in bytes from buffer to in elements from array view; calculate offset in bytes from buffer inside the function, avoiding overflow. 
+        * html/canvas/WebGLByteArray.cpp:
+        (WebCore::WebGLByteArray::slice): Changed according to new semantic of WebCore::WebGLArray::clampOffsetAndNumElements.
+        * html/canvas/WebGLFloatArray.cpp:
+        (WebCore::WebGLFloatArray::slice): Ditto.
+        * html/canvas/WebGLIntArray.cpp:
+        (WebCore::WebGLIntArray::slice): Ditto.
+        * html/canvas/WebGLShortArray.cpp:
+        (WebCore::WebGLShortArray::slice): Ditto.
+        * html/canvas/WebGLUnsignedByteArray.cpp:
+        (WebCore::WebGLUnsignedByteArray::slice): Ditto.
+        * html/canvas/WebGLUnsignedIntArray.cpp:
+        (WebCore::WebGLUnsignedIntArray::slice): Ditto.
+        * html/canvas/WebGLUnsignedShortArray.cpp:
+        (WebCore::WebGLUnsignedShortArray::slice): Ditto.
+
 2010-04-13  Darin Fisher  <darin@chromium.org>
 

trunk/WebCore/html/canvas/WebGLArray.h

@@ -91 +91 @@
     }
 
+    // Input offset is in number of elements from this array's view;
+    // output offset is in number of bytes from the underlying buffer's view.
     template <typename T>
     static void clampOffsetAndNumElements(PassRefPtr<WebGLArrayBuffer> buffer,
-                                          unsigned *byteOffset,
+                                          unsigned arrayByteOffset,
+                                          unsigned *offset,
                                           unsigned *numElements)
     {
-        *byteOffset = std::min(buffer->byteLength(), *byteOffset);
-        unsigned remainingElements = (buffer->byteLength() - *byteOffset) / sizeof(T);
+        unsigned maxOffset = (UINT_MAX - arrayByteOffset) / sizeof(T);
+        if (*offset > maxOffset) {
+            *offset = buffer->byteLength();
+            *numElements = 0;
+            return;
+        }
+        *offset = arrayByteOffset + *offset * sizeof(T);
+        *offset = std::min(buffer->byteLength(), *offset);
+        unsigned remainingElements = (buffer->byteLength() - *offset) / sizeof(T);
         *numElements = std::min(remainingElements, *numElements);
     }

trunk/WebCore/html/canvas/WebGLByteArray.cpp

@@ -75 +75 @@
     unsigned offset, length;
     calculateOffsetAndLength(start, end, m_size, &offset, &length);
-    unsigned fullOffset = m_byteOffset + offset * sizeof(signed char);
-    clampOffsetAndNumElements<signed char>(buffer().get(), &fullOffset, &length);
-    return create(buffer(), fullOffset, length);
+    clampOffsetAndNumElements<signed char>(buffer().get(), m_byteOffset, &offset, &length);
+    return create(buffer(), offset, length);
 }
 

trunk/WebCore/html/canvas/WebGLFloatArray.cpp

@@ -74 +74 @@
     unsigned offset, length;
     calculateOffsetAndLength(start, end, m_size, &offset, &length);
-    unsigned fullOffset = m_byteOffset + offset * sizeof(float);
-    clampOffsetAndNumElements<float>(buffer(), &fullOffset, &length);
-    return create(buffer(), fullOffset, length);
+    clampOffsetAndNumElements<float>(buffer(), m_byteOffset, &offset, &length);
+    return create(buffer(), offset, length);
 }
 

trunk/WebCore/html/canvas/WebGLIntArray.cpp

@@ -77 +77 @@
     unsigned offset, length;
     calculateOffsetAndLength(start, end, m_size, &offset, &length);
-    unsigned fullOffset = m_byteOffset + offset * sizeof(int);
-    clampOffsetAndNumElements<int>(buffer(), &fullOffset, &length);
-    return create(buffer(), fullOffset, length);
+    clampOffsetAndNumElements<int>(buffer(), m_byteOffset, &offset, &length);
+    return create(buffer(), offset, length);
 }
 

trunk/WebCore/html/canvas/WebGLShortArray.cpp

@@ -76 +76 @@
     unsigned offset, length;
     calculateOffsetAndLength(start, end, m_size, &offset, &length);
-    unsigned fullOffset = m_byteOffset + offset * sizeof(short);
-    clampOffsetAndNumElements<short>(buffer(), &fullOffset, &length);
-    return create(buffer(), fullOffset, length);
+    clampOffsetAndNumElements<short>(buffer(), m_byteOffset, &offset, &length);
+    return create(buffer(), offset, length);
 }
 

trunk/WebCore/html/canvas/WebGLUnsignedByteArray.cpp

@@ -77 +77 @@
     unsigned offset, length;
     calculateOffsetAndLength(start, end, m_size, &offset, &length);
-    unsigned fullOffset = m_byteOffset + offset * sizeof(unsigned char);
-    clampOffsetAndNumElements<unsigned char>(buffer(), &fullOffset, &length);
-    return create(buffer(), fullOffset, length);
+    clampOffsetAndNumElements<unsigned char>(buffer(), m_byteOffset, &offset, &length);
+    return create(buffer(), offset, length);
 }
 

trunk/WebCore/html/canvas/WebGLUnsignedIntArray.cpp

@@ -77 +77 @@
     unsigned offset, length;
     calculateOffsetAndLength(start, end, m_size, &offset, &length);
-    unsigned fullOffset = m_byteOffset + offset * sizeof(unsigned int);
-    clampOffsetAndNumElements<unsigned int>(buffer(), &fullOffset, &length);
-    return create(buffer(), fullOffset, length);
+    clampOffsetAndNumElements<unsigned int>(buffer(), m_byteOffset, &offset, &length);
+    return create(buffer(), offset, length);
 }
 

trunk/WebCore/html/canvas/WebGLUnsignedShortArray.cpp

@@ -79 +79 @@
     unsigned offset, length;
     calculateOffsetAndLength(start, end, m_size, &offset, &length);
-    unsigned fullOffset = m_byteOffset + offset * sizeof(unsigned short);
-    clampOffsetAndNumElements<unsigned short>(buffer(), &fullOffset, &length);
-    return create(buffer(), fullOffset, length);
+    clampOffsetAndNumElements<unsigned short>(buffer(), m_byteOffset, &offset, &length);
+    return create(buffer(), offset, length);
 }