Bug 146652 - Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
Summary: Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Dean Jackson
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-06 15:08 PDT by Dean Jackson
Modified: 2015-07-07 01:26 PDT (History)
6 users (show)

See Also:

Attachments
Patch (3.24 KB, patch)
2015-07-06 15:12 PDT, Dean Jackson 		bfulgham: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dean Jackson 2015-07-06 15:08:51 PDT 
Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
Comment 1 Dean Jackson 2015-07-06 15:11:47 PDT 
<rdar://problem/21567767>
Comment 2 Dean Jackson 2015-07-06 15:12:26 PDT 
Created attachment 256244 [details]
Patch
Comment 3 Brent Fulgham 2015-07-06 15:33:55 PDT 
Comment on attachment 256244 [details]
Patch

r=me
Comment 4 Dean Jackson 2015-07-06 15:36:39 PDT 
Committed r186380: <http://trac.webkit.org/changeset/186380>
Comment 5 Darin Adler 2015-07-06 20:04:50 PDT 
Comment on attachment 256244 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=256244&action=review

> Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:4687
> +    Checked<GC3Dsizeiptr, RecordOverflow> bufferDataSize = (numVertex + 1) * 4 * sizeof(GC3Dfloat);

This doesn’t start using checked arithmetic until after doing all the math. Too late!!!
Comment 6 Darin Adler 2015-07-06 20:06:20 PDT 
OK, seems like you fixed that in http://trac.webkit.org/changeset/186384
Comment 7 Dean Jackson 2015-07-07 01:26:25 PDT 
(In reply to comment #6)
> OK, seems like you fixed that in http://trac.webkit.org/changeset/186384

Yeah. It was my mistake.

I found it really hard to replicate the conditions that lead to this - things failed other verification steps first. So in the end I disabled the other checks and then stepped through in the debugger to exercise the new Checked stuff.