vertexAttribPointer must restrict offset parameter
authordino@apple.com <dino@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Mar 2019 18:00:55 +0000 (18:00 +0000)
committerdino@apple.com <dino@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Mar 2019 18:00:55 +0000 (18:00 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196261
<rdar://problem/48458086>

Reviewed by Antoine Quint.

Source/WebCore:

This WebGL function should fail if the offset parameter is
not within [0, max 32-bit int].

Test: fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html

* html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::vertexAttribPointer):

LayoutTests:

Add a test where the offset parameter is out of bounds.

* fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt: Added.
* fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243506 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt [new file with mode: 0644]
LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp

index 7166973..fbf7524 100644 (file)
@@ -1,3 +1,16 @@
+2019-03-26  Dean Jackson  <dino@apple.com>
+
+        vertexAttribPointer must restrict offset parameter
+        https://bugs.webkit.org/show_bug.cgi?id=196261
+        <rdar://problem/48458086>
+
+        Reviewed by Antoine Quint.
+
+        Add a test where the offset parameter is out of bounds.
+
+        * fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt: Added.
+        * fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html: Added.
+
 2019-03-26  Zalan Bujtas  <zalan@apple.com>
 
         [ContentChangeObserver] Skip anonymous renderers when checking for "willRespondToMouseClickEvents"
diff --git a/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt b/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset-expected.txt
new file mode 100644 (file)
index 0000000..bf679d9
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 49: WebGL: INVALID_VALUE: vertexAttribPointer: bad offset
+CONSOLE MESSAGE: line 56: WebGL: INVALID_OPERATION: drawArrays: attempt to access out of bounds arrays
+PASS: vertexAttribPointer should have an error.
+
diff --git a/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html b/LayoutTests/fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html
new file mode 100644 (file)
index 0000000..26f0c10
--- /dev/null
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html>
+<script id="vshader" type="x-shader/x-vertex">
+attribute vec4 a1;
+void main () {
+gl_Position = a1;
+}
+</script>
+
+<script id="fshader" type="x-shader/x-fragment">
+#ifdef GL_ES
+precision highp float;
+#endif
+void main() {
+gl_FragColor = vec4(1.0, 1.0, 1.0, 1.0);
+}
+</script>
+
+<body>
+<div id="results"></div>
+<canvas id="canvas"></canvas>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+const canvas = document.getElementById("canvas");
+const gl = canvas.getContext("webgl");
+
+const vShader = gl.createShader(gl.VERTEX_SHADER);
+gl.shaderSource(vShader, document.getElementById("vshader").text);
+gl.compileShader(vShader);
+
+const fShader = gl.createShader(gl.FRAGMENT_SHADER);
+gl.shaderSource(fShader, document.getElementById("fshader").text);
+gl.compileShader(fShader);
+
+const program = gl.createProgram();
+gl.attachShader(program, vShader);
+gl.attachShader(program, fShader);
+gl.linkProgram(program);
+gl.useProgram(program);
+
+const attribute = gl.getAttribLocation(program, "a1");
+gl.enableVertexAttribArray(attribute);
+
+const b1 = gl.createBuffer();
+gl.bindBuffer(gl.ARRAY_BUFFER, b1);
+
+gl.vertexAttribPointer(attribute, 1, gl.BYTE, true, 1, 0x00ffff00000000);
+document.getElementById("results").textContent = `${gl.getError() == gl.NO_ERROR ? "FAIL" : "PASS"}: vertexAttribPointer should have an error.`;
+
+const b2 = gl.createBuffer();
+gl.bindBuffer(gl.ARRAY_BUFFER, b2);
+gl.bufferData(gl.ARRAY_BUFFER, new Uint16Array(100), gl.DYNAMIC_DRAW);
+
+gl.drawArrays(gl.LINES, 100, 100);
+</script>
+</body>
+</html>
index 472388e..8717ee3 100644 (file)
@@ -1,3 +1,19 @@
+2019-03-26  Dean Jackson  <dino@apple.com>
+
+        vertexAttribPointer must restrict offset parameter
+        https://bugs.webkit.org/show_bug.cgi?id=196261
+        <rdar://problem/48458086>
+
+        Reviewed by Antoine Quint.
+
+        This WebGL function should fail if the offset parameter is
+        not within [0, max 32-bit int].
+
+        Test: fast/canvas/webgl/vertexAttribPointer-with-bad-offset.html
+
+        * html/canvas/WebGLRenderingContextBase.cpp:
+        (WebCore::WebGLRenderingContextBase::vertexAttribPointer):
+
 2019-03-26  Antoine Quint  <graouts@apple.com>
 
         Remove mousemoveEventHandlingPreventsDefault internal setting and quirk
index 1c0f58a..c882417 100644 (file)
@@ -5000,8 +5000,16 @@ void WebGLRenderingContextBase::vertexAttribPointer(GC3Duint index, GC3Dint size
         synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "index out of range");
         return;
     }
-    if (size < 1 || size > 4 || stride < 0 || stride > 255 || offset < 0) {
-        synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "bad size, stride or offset");
+    if (size < 1 || size > 4) {
+        synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "bad size");
+        return;
+    }
+    if (stride < 0 || stride > 255) {
+        synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "bad stride");
+        return;
+    }
+    if (offset < 0 || offset > std::numeric_limits<int32_t>::max()) {
+        synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "vertexAttribPointer", "bad offset");
         return;
     }
     if (!m_boundArrayBuffer) {