42004 2010-07-09 16:44:55 -0700 bufferSubData causes crash in WebGLBuffer::associateBufferSubData 2010-07-09 17:48:19 -0700 1 1 1 Unclassified WebKit WebGL 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 kbr kbr cmarrin dglazkov japhet oliver zmo oldest_to_newest 249352 0 kbr 2010-07-09 16:44:55 -0700 If an element array buffer object is initialized via bufferData(ELEMENT_ARRAY_BUFFER, size, usage) and then filled with bufferSubData(ELEMENT_ARRAY_BUFFER, offset, ArrayBufferView), the index validation code (WebGLBuffer::associateBufferSubData) crashes because the m_elementArrayBuffer has not been allocated. 249356 1 61114 kbr 2010-07-09 16:55:27 -0700 Created attachment 61114 Patch From the ChangeLog: Allocate m_elementArrayBuffer for entry point taking only size. Guard against allocation failures of m_elementArrayBuffer. Guard against any possibility of crashes due to m_elementArrayBuffer being NULL. 249366 2 61114 japhet 2010-07-09 17:21:09 -0700 Comment on attachment 61114 Patch > case GraphicsContext3D::ELEMENT_ARRAY_BUFFER: > case GraphicsContext3D::ARRAY_BUFFER: > m_byteLength = size; > + if (m_target == GraphicsContext3D::ELEMENT_ARRAY_BUFFER) { > + clearCachedMaxIndices(); > + m_elementArrayBuffer = ArrayBuffer::create(size, 1); > + if (!m_elementArrayBuffer) { > + m_byteLength = 0; > + return false; > + } > + } > return true; > default: > return false; Style nit: exit early if m_target is 0, and remove the switch. 249372 3 kbr 2010-07-09 17:26:58 -0700 (In reply to comment #2) > (From update of attachment 61114 [details]) > > case GraphicsContext3D::ELEMENT_ARRAY_BUFFER: > > case GraphicsContext3D::ARRAY_BUFFER: > > m_byteLength = size; > > + if (m_target == GraphicsContext3D::ELEMENT_ARRAY_BUFFER) { > > + clearCachedMaxIndices(); > > + m_elementArrayBuffer = ArrayBuffer::create(size, 1); > > + if (!m_elementArrayBuffer) { > > + m_byteLength = 0; > > + return false; > > + } > > + } > > return true; > > default: > > return false; > > Style nit: exit early if m_target is 0, and remove the switch. Will make this change in the landed version. 249395 4 kbr 2010-07-09 17:48:19 -0700 Committed r63017: <http://trac.webkit.org/changeset/63017> 61114 2010-07-09 16:55:27 -0700 2010-07-09 17:21:09 -0700 Patch buffer-sub-data.patch text/plain 5527 kbr SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA2MzAxMykKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTkgQEAKKzIwMTAtMDctMDkgIEtlbm5ldGggUnVzc2VsbCAgPGtickBnb29nbGUu Y29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIGJ1 ZmZlclN1YkRhdGEgY2F1c2VzIGNyYXNoIGluIFdlYkdMQnVmZmVyOjphc3NvY2lhdGVCdWZmZXJT dWJEYXRhCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD00 MjAwNAorCisgICAgICAgIFRlc3Q6IGZhc3QvY2FudmFzL3dlYmdsL2luZGV4LXZhbGlkYXRpb24t Y3Jhc2gtd2l0aC1idWZmZXItc3ViLWRhdGEuaHRtbAorCisgICAgICAgICogaHRtbC9jYW52YXMv V2ViR0xCdWZmZXIuY3BwOgorICAgICAgICAoV2ViQ29yZTo6V2ViR0xCdWZmZXI6OmFzc29jaWF0 ZUJ1ZmZlckRhdGEpOgorICAgICAgICAgLSBBbGxvY2F0ZSBtX2VsZW1lbnRBcnJheUJ1ZmZlciBm b3IgZW50cnkgcG9pbnQgdGFraW5nIG9ubHkgc2l6ZS4KKyAgICAgICAgICAgR3VhcmQgYWdhaW5z dCBhbGxvY2F0aW9uIGZhaWx1cmVzIG9mIG1fZWxlbWVudEFycmF5QnVmZmVyLgorICAgICAgICAo V2ViQ29yZTo6V2ViR0xCdWZmZXI6OmFzc29jaWF0ZUJ1ZmZlclN1YkRhdGEpOgorICAgICAgICAg LSBHdWFyZCBhZ2FpbnN0IGFueSBwb3NzaWJpbGl0eSBvZiBjcmFzaGVzIGR1ZSB0byBtX2VsZW1l bnRBcnJheUJ1ZmZlciBiZWluZyBOVUxMLgorCiAyMDEwLTA3LTA5ICBFcmljIFNlaWRlbCAgPGVy aWNAd2Via2l0Lm9yZz4KIAogICAgICAgICBSZXZpZXdlZCBieSBBZGFtIEJhcnRoLgpJbmRleDog V2ViQ29yZS9odG1sL2NhbnZhcy9XZWJHTEJ1ZmZlci5jcHAKPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViQ29y ZS9odG1sL2NhbnZhcy9XZWJHTEJ1ZmZlci5jcHAJKHJldmlzaW9uIDYyOTkxKQorKysgV2ViQ29y ZS9odG1sL2NhbnZhcy9XZWJHTEJ1ZmZlci5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTU4LDYgKzU4 LDE0IEBAIGJvb2wgV2ViR0xCdWZmZXI6OmFzc29jaWF0ZUJ1ZmZlckRhdGEoaW4KICAgICBjYXNl IEdyYXBoaWNzQ29udGV4dDNEOjpFTEVNRU5UX0FSUkFZX0JVRkZFUjoKICAgICBjYXNlIEdyYXBo aWNzQ29udGV4dDNEOjpBUlJBWV9CVUZGRVI6CiAgICAgICAgIG1fYnl0ZUxlbmd0aCA9IHNpemU7 CisgICAgICAgIGlmIChtX3RhcmdldCA9PSBHcmFwaGljc0NvbnRleHQzRDo6RUxFTUVOVF9BUlJB WV9CVUZGRVIpIHsKKyAgICAgICAgICAgIGNsZWFyQ2FjaGVkTWF4SW5kaWNlcygpOworICAgICAg ICAgICAgbV9lbGVtZW50QXJyYXlCdWZmZXIgPSBBcnJheUJ1ZmZlcjo6Y3JlYXRlKHNpemUsIDEp OworICAgICAgICAgICAgaWYgKCFtX2VsZW1lbnRBcnJheUJ1ZmZlcikgeworICAgICAgICAgICAg ICAgIG1fYnl0ZUxlbmd0aCA9IDA7CisgICAgICAgICAgICAgICAgcmV0dXJuIGZhbHNlOworICAg ICAgICAgICAgfQorICAgICAgICB9CiAgICAgICAgIHJldHVybiB0cnVlOwogICAgIGRlZmF1bHQ6 CiAgICAgICAgIHJldHVybiBmYWxzZTsKQEAgLTc4LDYgKzg2LDEwIEBAIGJvb2wgV2ViR0xCdWZm ZXI6OmFzc29jaWF0ZUJ1ZmZlckRhdGEoQXIKICAgICAgICAgLy8gbW9kaWZpY2F0aW9ucyB3aXRo b3V0IGNhbGxpbmcgYnVmZmVyRGF0YSBvciBidWZmZXJTdWJEYXRhCiAgICAgICAgIC8vIG11c3Qg bmV2ZXIgYmUgYWJsZSB0byBjaGFuZ2UgdGhlIHZhbGlkYXRpb24gcmVzdWx0cy4KICAgICAgICAg bV9lbGVtZW50QXJyYXlCdWZmZXIgPSBBcnJheUJ1ZmZlcjo6Y3JlYXRlKGFycmF5LT5idWZmZXIo KS5nZXQoKSk7CisgICAgICAgIGlmICghbV9lbGVtZW50QXJyYXlCdWZmZXIpIHsKKyAgICAgICAg ICAgIG1fYnl0ZUxlbmd0aCA9IDA7CisgICAgICAgICAgICByZXR1cm4gZmFsc2U7CisgICAgICAg IH0KICAgICAgICAgcmV0dXJuIHRydWU7CiAgICAgfQogCkBAIC0xMDcsNiArMTE5LDkgQEAgYm9v bCBXZWJHTEJ1ZmZlcjo6YXNzb2NpYXRlQnVmZmVyU3ViRGF0YQogICAgICAgICBpZiAodW9mZnNl dCA+IG1fYnl0ZUxlbmd0aCB8fCBhcnJheS0+Ynl0ZUxlbmd0aCgpID4gbV9ieXRlTGVuZ3RoIC0g dW9mZnNldCkKICAgICAgICAgICAgIHJldHVybiBmYWxzZTsKICAgICAgICAgICAgIAorICAgICAg ICBpZiAoIW1fZWxlbWVudEFycmF5QnVmZmVyKQorICAgICAgICAgICAgcmV0dXJuIGZhbHNlOwor CiAgICAgICAgIG1lbWNweShzdGF0aWNfY2FzdDx1bnNpZ25lZCBjaGFyKj4obV9lbGVtZW50QXJy YXlCdWZmZXItPmRhdGEoKSkgKyBvZmZzZXQsIGFycmF5LT5iYXNlQWRkcmVzcygpLCBhcnJheS0+ Ynl0ZUxlbmd0aCgpKTsKICAgICAgICAgcmV0dXJuIHRydWU7CiAgICAgfQpJbmRleDogTGF5b3V0 VGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL0NoYW5nZUxvZwkocmV2 aXNpb24gNjMwMTMpCisrKyBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHdvcmtpbmcgY29weSkKQEAg LTEsMyArMSwxMyBAQAorMjAxMC0wNy0wOSAgS2VubmV0aCBSdXNzZWxsICA8a2JyQGdvb2dsZS5j b20+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgYnVm ZmVyU3ViRGF0YSBjYXVzZXMgY3Jhc2ggaW4gV2ViR0xCdWZmZXI6OmFzc29jaWF0ZUJ1ZmZlclN1 YkRhdGEKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTQy MDA0CisKKyAgICAgICAgKiBmYXN0L2NhbnZhcy93ZWJnbC9pbmRleC12YWxpZGF0aW9uLWNyYXNo LXdpdGgtYnVmZmVyLXN1Yi1kYXRhLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogZmFz dC9jYW52YXMvd2ViZ2wvaW5kZXgtdmFsaWRhdGlvbi1jcmFzaC13aXRoLWJ1ZmZlci1zdWItZGF0 YS5odG1sOiBBZGRlZC4KKwogMjAxMC0wNy0wOSAgVG9ueSBHZW50aWxjb3JlICA8dG9ueWdAY2hy b21pdW0ub3JnPgogCiAgICAgICAgIFJldmlld2VkIGJ5IERpbWl0cmkgR2xhemtvdi4KSW5kZXg6 IExheW91dFRlc3RzL2Zhc3QvY2FudmFzL3dlYmdsL2luZGV4LXZhbGlkYXRpb24tY3Jhc2gtd2l0 aC1idWZmZXItc3ViLWRhdGEtZXhwZWN0ZWQudHh0Cj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3Rz L2Zhc3QvY2FudmFzL3dlYmdsL2luZGV4LXZhbGlkYXRpb24tY3Jhc2gtd2l0aC1idWZmZXItc3Vi LWRhdGEtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvZmFzdC9jYW52 YXMvd2ViZ2wvaW5kZXgtdmFsaWRhdGlvbi1jcmFzaC13aXRoLWJ1ZmZlci1zdWItZGF0YS1leHBl Y3RlZC50eHQJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMTAgQEAKK1ZlcmlmaWVzIHRoYXQgdGhl IGluZGV4IHZhbGlkYXRpb24gY29kZSB3aGljaCBpcyB3aXRoaW4gYnVmZmVyU3ViRGF0YSBkb2Vz IG5vdCBjcmFzaC4KKworT24gc3VjY2VzcywgeW91IHdpbGwgc2VlIGEgc2VyaWVzIG9mICJQQVNT IiBtZXNzYWdlcywgZm9sbG93ZWQgYnkgIlRFU1QgQ09NUExFVEUiLgorCitSZWdyZXNzaW9uIHRl c3QgZm9yIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD00MjAwNCA6IGJ1 ZmZlclN1YkRhdGEgY2F1c2VzIGNyYXNoIGluIFdlYkdMQnVmZmVyOjphc3NvY2lhdGVCdWZmZXJT dWJEYXRhCitQQVNTIGJ1ZmZlclN1YkRhdGEsIHdoZW4gYnVmZmVyIG9iamVjdCB3YXMgaW5pdGlh bGl6ZWQgd2l0aCBudWxsLCBkaWQgbm90IGNyYXNoCitQQVNTIHN1Y2Nlc3NmdWxseVBhcnNlZCBp cyB0cnVlCisKK1RFU1QgQ09NUExFVEUKKwpJbmRleDogTGF5b3V0VGVzdHMvZmFzdC9jYW52YXMv d2ViZ2wvaW5kZXgtdmFsaWRhdGlvbi1jcmFzaC13aXRoLWJ1ZmZlci1zdWItZGF0YS5odG1sCj09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT0KLS0tIExheW91dFRlc3RzL2Zhc3QvY2FudmFzL3dlYmdsL2luZGV4LXZhbGlkYXRp b24tY3Jhc2gtd2l0aC1idWZmZXItc3ViLWRhdGEuaHRtbAkocmV2aXNpb24gMCkKKysrIExheW91 dFRlc3RzL2Zhc3QvY2FudmFzL3dlYmdsL2luZGV4LXZhbGlkYXRpb24tY3Jhc2gtd2l0aC1idWZm ZXItc3ViLWRhdGEuaHRtbAkocmV2aXNpb24gMCkKQEAgLTAsMCArMSwzMCBAQAorPGh0bWw+Cis8 aGVhZD4KKzxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iLi4vLi4vanMvcmVzb3VyY2VzL2pz LXRlc3Qtc3R5bGUuY3NzIi8+Cis8c2NyaXB0IHNyYz0iLi4vLi4vanMvcmVzb3VyY2VzL2pzLXRl c3QtcHJlLmpzIj48L3NjcmlwdD4KKzxzY3JpcHQgc3JjPSJyZXNvdXJjZXMvd2ViZ2wtdGVzdC5q cyI+PC9zY3JpcHQ+Cis8L2hlYWQ+Cis8Ym9keT4KKzxkaXYgaWQ9ImRlc2NyaXB0aW9uIj48L2Rp dj4KKzxkaXYgaWQ9ImNvbnNvbGUiPjwvZGl2PgorCis8c2NyaXB0PgorZGVzY3JpcHRpb24oJ1Zl cmlmaWVzIHRoYXQgdGhlIGluZGV4IHZhbGlkYXRpb24gY29kZSB3aGljaCBpcyB3aXRoaW4gYnVm ZmVyU3ViRGF0YSBkb2VzIG5vdCBjcmFzaC4nKQorCitkZWJ1ZygnUmVncmVzc2lvbiB0ZXN0IGZv ciA8YSBocmVmPSJodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NDIwMDQi Pmh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD00MjAwNDwvYT4gOiA8Y29k ZT5idWZmZXJTdWJEYXRhIGNhdXNlcyBjcmFzaCBpbiBXZWJHTEJ1ZmZlcjo6YXNzb2NpYXRlQnVm ZmVyU3ViRGF0YTwvY29kZT4nKTsKKwordmFyIGdsID0gY3JlYXRlM0RDb250ZXh0KCk7CisKK3Zh ciBlbGVtZW50QnVmZmVyID0gZ2wuY3JlYXRlQnVmZmVyKCk7CitnbC5iaW5kQnVmZmVyKGdsLkVM RU1FTlRfQVJSQVlfQlVGRkVSLCBlbGVtZW50QnVmZmVyKTsKK2dsLmJ1ZmZlckRhdGEoZ2wuRUxF TUVOVF9BUlJBWV9CVUZGRVIsIDI1NiwgZ2wuU1RBVElDX0RSQVcpOwordmFyIGRhdGEgPSBuZXcg VWludDhBcnJheSgxMjcpOworZ2wuYnVmZmVyU3ViRGF0YShnbC5FTEVNRU5UX0FSUkFZX0JVRkZF UiwgNjMsIGRhdGEpOwordGVzdFBhc3NlZCgiYnVmZmVyU3ViRGF0YSwgd2hlbiBidWZmZXIgb2Jq ZWN0IHdhcyBpbml0aWFsaXplZCB3aXRoIG51bGwsIGRpZCBub3QgY3Jhc2giKTsKKworc3VjY2Vz c2Z1bGx5UGFyc2VkID0gdHJ1ZTsKKzwvc2NyaXB0PgorCis8c2NyaXB0IHNyYz0iLi4vLi4vanMv cmVzb3VyY2VzL2pzLXRlc3QtcG9zdC5qcyI+PC9zY3JpcHQ+Cis8L2JvZHk+Cis8L2h0bWw+Cg==