Bug 42004

Summary:

bufferSubData causes crash in WebGLBuffer::associateBufferSubData

Product:

WebKit

Reporter:

Kenneth Russell <kbr>

Component:

WebGL

Assignee:

Kenneth Russell <kbr>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

cmarrin, dglazkov, japhet, oliver, zmo

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	japhet: review+, kbr: commit-queue-

Description Kenneth Russell 2010-07-09 16:44:55 PDT

If an element array buffer object is initialized via bufferData(ELEMENT_ARRAY_BUFFER, size, usage) and then filled with bufferSubData(ELEMENT_ARRAY_BUFFER, offset, ArrayBufferView), the index validation code (WebGLBuffer::associateBufferSubData) crashes because the m_elementArrayBuffer has not been allocated.

Comment 1 Kenneth Russell 2010-07-09 16:55:27 PDT

Created attachment 61114 [details]
Patch

From the ChangeLog:

Allocate m_elementArrayBuffer for entry point taking only size. Guard against allocation failures of m_elementArrayBuffer. Guard against any possibility of crashes due to m_elementArrayBuffer being NULL.

Comment 2 Nate Chapin 2010-07-09 17:21:09 PDT

Comment on attachment 61114 [details]
Patch

>      case GraphicsContext3D::ELEMENT_ARRAY_BUFFER:
>      case GraphicsContext3D::ARRAY_BUFFER:
>          m_byteLength = size;
> +        if (m_target == GraphicsContext3D::ELEMENT_ARRAY_BUFFER) {
> +            clearCachedMaxIndices();
> +            m_elementArrayBuffer = ArrayBuffer::create(size, 1);
> +            if (!m_elementArrayBuffer) {
> +                m_byteLength = 0;
> +                return false;
> +            }
> +        }
>          return true;
>      default:
>          return false;

Style nit: exit early if m_target is 0, and remove the switch.

Comment 3 Kenneth Russell 2010-07-09 17:26:58 PDT

(In reply to comment #2)
> (From update of attachment 61114 [details])
> >      case GraphicsContext3D::ELEMENT_ARRAY_BUFFER:
> >      case GraphicsContext3D::ARRAY_BUFFER:
> >          m_byteLength = size;
> > +        if (m_target == GraphicsContext3D::ELEMENT_ARRAY_BUFFER) {
> > +            clearCachedMaxIndices();
> > +            m_elementArrayBuffer = ArrayBuffer::create(size, 1);
> > +            if (!m_elementArrayBuffer) {
> > +                m_byteLength = 0;
> > +                return false;
> > +            }
> > +        }
> >          return true;
> >      default:
> >          return false;
> 
> Style nit: exit early if m_target is 0, and remove the switch.

Will make this change in the landed version.

Comment 4 Kenneth Russell 2010-07-09 17:48:19 PDT

Committed r63017: <http://trac.webkit.org/changeset/63017>