Context Navigation

Changeset 63017 in webkit

Timestamp:

Jul 9, 2010 5:47:59 PM (14 years ago)

Author:

kbr@google.com

Message:

2010-07-09 Kenneth Russell <kbr@google.com>

Reviewed by Nate Chapin.

bufferSubData causes crash in WebGLBuffer::associateBufferSubData
https://bugs.webkit.org/show_bug.cgi?id=42004

Test: fast/canvas/webgl/index-validation-crash-with-buffer-sub-data.html

html/canvas/WebGLBuffer.cpp: (WebCore::WebGLBuffer::associateBufferData):
- Allocate m_elementArrayBuffer for entry point taking only size. Guard against allocation failures of m_elementArrayBuffer.

(WebCore::WebGLBuffer::associateBufferSubData):

Guard against any possibility of crashes due to m_elementArrayBuffer being NULL.

2010-07-09 Kenneth Russell <kbr@google.com>

Reviewed by Nate Chapin.

bufferSubData causes crash in WebGLBuffer::associateBufferSubData
https://bugs.webkit.org/show_bug.cgi?id=42004

fast/canvas/webgl/index-validation-crash-with-buffer-sub-data-expected.txt: Added.
fast/canvas/webgl/index-validation-crash-with-buffer-sub-data.html: Added.

Location:

trunk

Files:

-                      r63016
+                      r63017
+-07-09  Kenneth Russell  <kbr@google.com>
+        Reviewed by Nate Chapin.
+        bufferSubData causes crash in WebGLBuffer::associateBufferSubData
+        https://bugs.webkit.org/show_bug.cgi?id=42004
+        * fast/canvas/webgl/index-validation-crash-with-buffer-sub-data-expected.txt: Added.
+        * fast/canvas/webgl/index-validation-crash-with-buffer-sub-data.html: Added.
 -07-09  Kenneth Russell  <kbr@google.com>

-                      r63014
+                      r63017
+-07-09  Kenneth Russell  <kbr@google.com>
+        Reviewed by Nate Chapin.
+        bufferSubData causes crash in WebGLBuffer::associateBufferSubData
+        https://bugs.webkit.org/show_bug.cgi?id=42004
+        Test: fast/canvas/webgl/index-validation-crash-with-buffer-sub-data.html
+        * html/canvas/WebGLBuffer.cpp:
+        (WebCore::WebGLBuffer::associateBufferData):
+         - Allocate m_elementArrayBuffer for entry point taking only size.
+           Guard against allocation failures of m_elementArrayBuffer.
+        (WebCore::WebGLBuffer::associateBufferSubData):
+         - Guard against any possibility of crashes due to m_elementArrayBuffer being NULL.
 -07-09  Dumitru Daniliuc  <dumi@chromium.org>

-                      r61934
+                      r63017
 bool WebGLBuffer::associateBufferData(int size)
+{
+    switch (m_target) {
+    case GraphicsContext3D::ELEMENT_ARRAY_BUFFER:
+    case GraphicsContext3D::ARRAY_BUFFER:
+    if (!m_target)
+        return false;
+    if (m_target == GraphicsContext3D::ELEMENT_ARRAY_BUFFER) {
+        m_byteLength = size;
+        clearCachedMaxIndices();
+        m_elementArrayBuffer = ArrayBuffer::create(size, 1);
+        if (!m_elementArrayBuffer) {
+            m_byteLength = 0;
+            return false;
+        }
+        return true;
+    } else if (m_target == GraphicsContext3D::ARRAY_BUFFER) {
         m_byteLength = size;
         return true;
-    default:
-        return false;
+    }
+    return false;
+}
 …
         // must never be able to change the validation results.
         m_elementArrayBuffer = ArrayBuffer::create(array->buffer().get());
+        if (!m_elementArrayBuffer) {
+            m_byteLength = 0;
+            return false;
+        }
         return true;
+    }
 …
             return false;
+        if (!m_elementArrayBuffer)
+            return false;
         memcpy(static_cast<unsigned char*>(m_elementArrayBuffer->data()) + offset, array->baseAddress(), array->byteLength());
         return true;

Note: See TracChangeset for help on using the changeset viewer.