RESOLVED FIXED 159590
CVE-2016-4769 [WebGL] Check for existing buffer exists for enabled vertex array attributes before permitting glDrawArrays to execute 
https://bugs.webkit.org/show_bug.cgi?id=159590
Summary [WebGL] Check for existing buffer exists for enabled vertex array attributes ...
Brent Fulgham
Reported 2016-07-08 17:27:50 PDT
Fuzzing has discovered that the 'drawArrays' WebGL call can be made with an enabled vertex array attribute but without a corresponding bound array buffer. This triggers a crash in WebGL.
Attachments
Patch (4.52 KB, patch)
2016-07-10 21:37 PDT, Brent Fulgham 		dino: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2016-07-08 17:28:09 PDT
<rdar://problem/26865535>
Brent Fulgham
Comment 2 2016-07-10 21:37:09 PDT
Created attachment 283299 [details] Patch
Dean Jackson
Comment 3 2016-07-11 12:00:22 PDT
Comment on attachment 283299 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283299&action=review > LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-2.html:16 > + gl.shaderSource(fragmentShader, 'highp mat4 my_mat4_0; void main() { gl_FragColor = (my_mat4_0)[0]; }'); I'm not sure if you need this (although it's a nice test by itself). I think the crasher is caused by the vertex shader accessing an attribute that hasn't been bound. I'm actually a bit surprised that this shader compiles!
Dean Jackson
Comment 4 2016-07-11 12:01:14 PDT
I think the fragment shader could just be: void main() { gl_FragColor = vec4(1.0, 0.0, 0.0, 1.0); }
Brent Fulgham
Comment 5 2016-07-11 12:42:01 PDT
(In reply to comment #4) > I think the fragment shader could just be: > > void main() { gl_FragColor = vec4(1.0, 0.0, 0.0, 1.0); } You are right -- I'll simplify the test as you suggest.
Brent Fulgham
Comment 6 2016-07-11 12:44:04 PDT
Committed r203077: <http://trac.webkit.org/changeset/203077>
Note You need to log in before you can comment on or make changes to this bug.