159590 CVE-2016-4769 2016-07-08 17:27:50 -0700 [WebGL] Check for existing buffer exists for enabled vertex array attributes before permitting glDrawArrays to execute 2017-10-11 10:30:23 -0700 1 1 1 Unclassified WebKit WebGL WebKit Nightly Build All All RESOLVED FIXED InRadar P2 Critical --- 1 bfulgham bfulgham bfulgham dino Takuya.Kawasaki zalan oldest_to_newest 1209359 0 bfulgham 2016-07-08 17:27:50 -0700 Fuzzing has discovered that the 'drawArrays' WebGL call can be made with an enabled vertex array attribute but without a corresponding bound array buffer. This triggers a crash in WebGL. 1209361 1 bfulgham 2016-07-08 17:28:09 -0700 <rdar://problem/26865535> 1209588 2 283299 bfulgham 2016-07-10 21:37:09 -0700 Created attachment 283299 Patch 1209735 3 283299 dino 2016-07-11 12:00:22 -0700 Comment on attachment 283299 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283299&action=review > LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-2.html:16 > + gl.shaderSource(fragmentShader, 'highp mat4 my_mat4_0; void main() { gl_FragColor = (my_mat4_0)[0]; }'); I'm not sure if you need this (although it's a nice test by itself). I think the crasher is caused by the vertex shader accessing an attribute that hasn't been bound. I'm actually a bit surprised that this shader compiles! 1209736 4 dino 2016-07-11 12:01:14 -0700 I think the fragment shader could just be: void main() { gl_FragColor = vec4(1.0, 0.0, 0.0, 1.0); } 1209753 5 bfulgham 2016-07-11 12:42:01 -0700 (In reply to comment #4) > I think the fragment shader could just be: > > void main() { gl_FragColor = vec4(1.0, 0.0, 0.0, 1.0); } You are right -- I'll simplify the test as you suggest. 1209754 6 bfulgham 2016-07-11 12:44:04 -0700 Committed r203077: <http://trac.webkit.org/changeset/203077> 283299 2016-07-10 21:37:09 -0700 2016-07-11 12:00:22 -0700 Patch bug-159590-20160710213628.patch text/plain 4633 bfulgham SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDIwMzAxMykKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE3IEBACisyMDE2LTA3LTA4ICBCcmVudCBG dWxnaGFtICA8YmZ1bGdoYW1AYXBwbGUuY29tPgorCisgICAgICAgIFtXZWJHTF0gQ2hlY2sgZm9y IGV4aXN0aW5nIGJ1ZmZlciBleGlzdHMgZm9yIGVuYWJsZWQgdmVydGV4IGFycmF5IGF0dHJpYnV0 ZXMgYmVmb3JlIHBlcm1pdHRpbmcgZ2xEcmF3QXJyYXlzIHRvIGV4ZWN1dGUKKyAgICAgICAgaHR0 cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE1OTU5MAorICAgICAgICA8cmRh cjovL3Byb2JsZW0vMjY4NjU1MzU+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BT ISkuCisKKyAgICAgICAgVGVzdDogZmFzdC9jYW52YXMvd2ViZ2wvd2ViZ2wtZHJhd2FycmF5cy1j cmFzaC0yLmh0bWwKKworICAgICAgICAqIGh0bWwvY2FudmFzL1dlYkdMUmVuZGVyaW5nQ29udGV4 dEJhc2UuY3BwOgorICAgICAgICAoV2ViQ29yZTo6V2ViR0xSZW5kZXJpbmdDb250ZXh0QmFzZTo6 dmFsaWRhdGVWZXJ0ZXhBdHRyaWJ1dGVzKTogSWYgZW5hYmxlZCBhcnJheSBidWZmZXIgYXR0cmli dXRlcyBleGlzdCwKKyAgICAgICAgZW5zdXJlIHRoYXQgYW4gYXJyYXkgYnVmZmVyIGhhcyBiZWVu IGJvdW5kLgorCiAyMDE2LTA3LTA4ICBEYW5pZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4K IAogICAgICAgICBNb3ZlIHNob3VsZEluaGVyaXRTZWN1cml0eU9yaWdpbkZyb21Pd25lcigpIGZy b20gVVJMIHRvIERvY3VtZW50CkluZGV4OiBTb3VyY2UvV2ViQ29yZS9odG1sL2NhbnZhcy9XZWJH TFJlbmRlcmluZ0NvbnRleHRCYXNlLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9o dG1sL2NhbnZhcy9XZWJHTFJlbmRlcmluZ0NvbnRleHRCYXNlLmNwcAkocmV2aXNpb24gMjAzMDA1 KQorKysgU291cmNlL1dlYkNvcmUvaHRtbC9jYW52YXMvV2ViR0xSZW5kZXJpbmdDb250ZXh0QmFz ZS5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTE3NjEsNiArMTc2MSwxMSBAQCBib29sIFdlYkdMUmVu ZGVyaW5nQ29udGV4dEJhc2U6OnZhbGlkYXRlCiAgICAgaWYgKGVsZW1lbnRDb3VudCAmJiAhc2F3 RW5hYmxlZEF0dHJpYiAmJiAhbV9jdXJyZW50UHJvZ3JhbS0+aXNVc2luZ1ZlcnRleEF0dHJpYjAo KSkKICAgICAgICAgcmV0dXJuIGZhbHNlOwogCisgICAgaWYgKGVsZW1lbnRDb3VudCAmJiBzYXdF bmFibGVkQXR0cmliKSB7CisgICAgICAgIGlmICghbV9ib3VuZEFycmF5QnVmZmVyICYmICFtX2Jv dW5kVmVydGV4QXJyYXlPYmplY3QtPmdldEVsZW1lbnRBcnJheUJ1ZmZlcigpKQorICAgICAgICAg ICAgcmV0dXJuIGZhbHNlOworICAgIH0KKyAgICAKICAgICByZXR1cm4gdHJ1ZTsKIH0KIApJbmRl eDogTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL0NoYW5n ZUxvZwkocmV2aXNpb24gMjAzMDA1KQorKysgTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCSh3b3JraW5n IGNvcHkpCkBAIC0xLDMgKzEsMTQgQEAKKzIwMTYtMDctMDggIEJyZW50IEZ1bGdoYW0gIDxiZnVs Z2hhbUBhcHBsZS5jb20+CisKKyAgICAgICAgW1dlYkdMXSBDaGVjayBmb3IgZXhpc3RpbmcgYnVm ZmVyIGV4aXN0cyBmb3IgZW5hYmxlZCB2ZXJ0ZXggYXJyYXkgYXR0cmlidXRlcyBiZWZvcmUgcGVy bWl0dGluZyBnbERyYXdBcnJheXMgdG8gZXhlY3V0ZQorICAgICAgICBodHRwczovL2J1Z3Mud2Vi a2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTU5NTkwCisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8y Njg2NTUzNT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAg ICAqIGZhc3QvY2FudmFzL3dlYmdsL3dlYmdsLWRyYXdhcnJheXMtY3Jhc2gtMi1leHBlY3RlZC50 eHQ6IEFkZGVkLgorICAgICAgICAqIGZhc3QvY2FudmFzL3dlYmdsL3dlYmdsLWRyYXdhcnJheXMt Y3Jhc2gtMi5odG1sOiBBZGRlZC4KKwogMjAxNi0wNy0wOCAgQ2hyaXMgRHVtZXogIDxjZHVtZXpA YXBwbGUuY29tPgogCiAgICAgICAgIE9iamVjdC5kZWZpbmVQcm9wZXJ0eSgpIHNob3VsZCBtYWlu dGFpbiBleGlzdGluZyBnZXR0ZXIgLyBzZXR0ZXIgaWYgbm90IG92ZXJyaWRkZW4gaW4gdGhlIG5l dyBkZXNjcmlwdG9yCkluZGV4OiBMYXlvdXRUZXN0cy9mYXN0L2NhbnZhcy93ZWJnbC93ZWJnbC1k cmF3YXJyYXlzLWNyYXNoLTItZXhwZWN0ZWQudHh0Cj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3Rz L2Zhc3QvY2FudmFzL3dlYmdsL3dlYmdsLWRyYXdhcnJheXMtY3Jhc2gtMi1leHBlY3RlZC50eHQJ KG5vbmV4aXN0ZW50KQorKysgTGF5b3V0VGVzdHMvZmFzdC9jYW52YXMvd2ViZ2wvd2ViZ2wtZHJh d2FycmF5cy1jcmFzaC0yLWV4cGVjdGVkLnR4dAkod29ya2luZyBjb3B5KQpAQCAtMCwwICsxLDMg QEAKK0NPTlNPTEUgTUVTU0FHRTogbGluZSAyMzogV2ViR0w6IElOVkFMSURfT1BFUkFUSU9OOiBk cmF3QXJyYXlzOiBhdHRlbXB0IHRvIGFjY2VzcyBvdXQgb2YgYm91bmRzIGFycmF5cworUEFTUy4g WW91IGRpZG4ndCBjcmFzaC4KKwpJbmRleDogTGF5b3V0VGVzdHMvZmFzdC9jYW52YXMvd2ViZ2wv d2ViZ2wtZHJhd2FycmF5cy1jcmFzaC0yLmh0bWwKPT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMv ZmFzdC9jYW52YXMvd2ViZ2wvd2ViZ2wtZHJhd2FycmF5cy1jcmFzaC0yLmh0bWwJKG5vbmV4aXN0 ZW50KQorKysgTGF5b3V0VGVzdHMvZmFzdC9jYW52YXMvd2ViZ2wvd2ViZ2wtZHJhd2FycmF5cy1j cmFzaC0yLmh0bWwJKHdvcmtpbmcgY29weSkKQEAgLTAsMCArMSw0MSBAQAorPCFET0NUWVBFIGh0 bWw+Cis8aHRtbD4KKzxoZWFkPgorICAgIDxzY3JpcHQgc3JjPSJyZXNvdXJjZXMvd2ViZ2wtdGVz dC11dGlscy5qcyI+IDwvc2NyaXB0PgorICAgIDxzY3JpcHQ+CisgICAgZnVuY3Rpb24gcnVuVGVz dCgpCisgICAgeworICAgICAgICB2YXIgY2FudmFzID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQo IndlYmdsLWNhbnZhcyIpOworICAgICAgICB2YXIgZ2wgPSBXZWJHTFRlc3RVdGlscy5jcmVhdGUz RENvbnRleHQoY2FudmFzKTsKKyAgICAgICAgdmFyIGZyYWdtZW50U2hhZGVyID0gZ2wuY3JlYXRl U2hhZGVyKGdsLkZSQUdNRU5UX1NIQURFUik7CisgICAgICAgIHZhciBwcm9ncmFtID0gZ2wuY3Jl YXRlUHJvZ3JhbSgpOworICAgICAgICB2YXIgdmVydGV4U2hhZGVyID0gZ2wuY3JlYXRlU2hhZGVy KGdsLlZFUlRFWF9TSEFERVIpOworICAgICAgICBnbC5zaGFkZXJTb3VyY2UodmVydGV4U2hhZGVy LCAnYXR0cmlidXRlIG1lZGl1bXAgbWF0NCBhdHRyaWJ1dGVfbWF0NF8wOyBtZWRpdW1wIG1hdDQg bXlfbWF0NF8wOyB2b2lkIG1haW4oKSB7IG15X21hdDRfMCA9IGF0dHJpYnV0ZV9tYXQ0XzA7IH0n KTsKKyAgICAgICAgZ2wuY29tcGlsZVNoYWRlcih2ZXJ0ZXhTaGFkZXIpOworICAgICAgICBnbC5h dHRhY2hTaGFkZXIocHJvZ3JhbSwgdmVydGV4U2hhZGVyKTsKKyAgICAgICAgZ2wuc2hhZGVyU291 cmNlKGZyYWdtZW50U2hhZGVyLCAnaGlnaHAgbWF0NCBteV9tYXQ0XzA7IHZvaWQgbWFpbigpIHsg Z2xfRnJhZ0NvbG9yID0gKG15X21hdDRfMClbMF07IH0nKTsKKyAgICAgICAgZ2wuY29tcGlsZVNo YWRlcihmcmFnbWVudFNoYWRlcik7CisgICAgICAgIGdsLmF0dGFjaFNoYWRlcihwcm9ncmFtLCBm cmFnbWVudFNoYWRlcik7CisgICAgICAgIGdsLmxpbmtQcm9ncmFtKHByb2dyYW0pOworICAgICAg ICBnbC51c2VQcm9ncmFtKHByb2dyYW0pOworCisgICAgICAgIGdsLmVuYWJsZVZlcnRleEF0dHJp YkFycmF5KDApOworICAgICAgICBnbC5kcmF3QXJyYXlzKGdsLkxJTkVfTE9PUCwgMCwgMSk7CisK KyAgICAgICAgaWYgKHdpbmRvdy50ZXN0UnVubmVyKQorICAgICAgICAgIHRlc3RSdW5uZXIubm90 aWZ5RG9uZSgpOworICAgIH0KKworICAgIGlmICh3aW5kb3cudGVzdFJ1bm5lcikgeworICAgICAg ICB0ZXN0UnVubmVyLmR1bXBBc1RleHQoKTsKKyAgICAgICAgdGVzdFJ1bm5lci53YWl0VW50aWxE b25lKCk7CisgICAgfQorCisgICAgd2luZG93Lm9ucGFnZXNob3cgPSBydW5UZXN0OworICAgIDwv c2NyaXB0PiAgICAKKzwvaGVhZD4gIAorPGJvZHk+CisgICAgPGRpdj5QQVNTLiBZb3UgZGlkbid0 IGNyYXNoLjwvZGl2PgorICAgIDxjYW52YXMgaWQ9IndlYmdsLWNhbnZhcyIgd2lkdGg9IjEwMHB4 IiBoZWlnaHQ9IjEwMHB4Ij48L2NhbnZhcz4KKzwvYm9keT4KKzwvaHRtbD4KXCBObyBuZXdsaW5l IGF0IGVuZCBvZiBmaWxlCg==