RESOLVED FIXED 146652
Memory corruption in WebGLRenderingContext::simulateVertexAttrib0 
https://bugs.webkit.org/show_bug.cgi?id=146652
Summary Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
Dean Jackson
Reported 2015-07-06 15:08:51 PDT
Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
Attachments
Patch (3.24 KB, patch)
2015-07-06 15:12 PDT, Dean Jackson 		bfulgham: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Dean Jackson
Comment 1 2015-07-06 15:11:47 PDT
<rdar://problem/21567767>
Dean Jackson
Comment 2 2015-07-06 15:12:26 PDT
Created attachment 256244 [details] Patch
Brent Fulgham
Comment 3 2015-07-06 15:33:55 PDT
Comment on attachment 256244 [details] Patch r=me
Dean Jackson
Comment 4 2015-07-06 15:36:39 PDT
Committed r186380: <http://trac.webkit.org/changeset/186380>
Darin Adler
Comment 5 2015-07-06 20:04:50 PDT
Comment on attachment 256244 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=256244&action=review > Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:4687 > + Checked<GC3Dsizeiptr, RecordOverflow> bufferDataSize = (numVertex + 1) * 4 * sizeof(GC3Dfloat); This doesn’t start using checked arithmetic until after doing all the math. Too late!!!
Darin Adler
Comment 6 2015-07-06 20:06:20 PDT
OK, seems like you fixed that in http://trac.webkit.org/changeset/186384
Dean Jackson
Comment 7 2015-07-07 01:26:25 PDT
(In reply to comment #6) > OK, seems like you fixed that in http://trac.webkit.org/changeset/186384 Yeah. It was my mistake. I found it really hard to replicate the conditions that lead to this - things failed other verification steps first. So in the end I disabled the other checks and then stepped through in the debugger to exercise the new Checked stuff.
Note You need to log in before you can comment on or make changes to this bug.