169798 – WebGL: Improve index validation when using uint index values

Bug 169798 - WebGL: Improve index validation when using uint index values

Summary: WebGL: Improve index validation when using uint index values

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Dean Jackson

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2017-03-16 17:05 PDT by Dean Jackson
Modified:	2017-03-16 17:52 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
Patch (13.44 KB, patch) 2017-03-16 17:10 PDT, Dean Jackson	no flags	Details \| Formatted Diff \| Diff
Patch (13.73 KB, patch) 2017-03-16 17:34 PDT, Dean Jackson	simon.fraser: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dean Jackson 2017-03-16 17:05:01 PDT

WebGL: Improve index validation when using uint index values

Comment 1 Dean Jackson 2017-03-16 17:05:50 PDT

<rdar://problem/31083056>

Comment 2 Dean Jackson 2017-03-16 17:10:28 PDT

Created attachment 304725 [details]
Patch

Comment 3 Simon Fraser (smfr) 2017-03-16 17:15:22 PDT

Comment on attachment 304725 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=304725&action=review

> Source/WebCore/html/canvas/WebGL2RenderingContext.cpp:1758
> +                maxIndex = std::max(maxIndex.value(), static_cast<unsigned>(p[i]));

Won't maxIndex.value() assert the first time you use it because the optional is still nullopt?

Comment 4 Dean Jackson 2017-03-16 17:34:26 PDT

Created attachment 304728 [details]
Patch

Comment 5 Simon Fraser (smfr) 2017-03-16 17:36:59 PDT

Comment on attachment 304728 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=304728&action=review

> Source/WebCore/html/canvas/WebGL2RenderingContext.cpp:1782
> +    if (maxIndex) {

You could early return here: if (!maxIndex) return false;

> Source/WebCore/html/canvas/WebGLRenderingContext.cpp:757
> +    std::optional<unsigned> maxIndex = elementArrayBuffer->getCachedMaxIndex(type);

Why am I seeing all this code twice?

Comment 6 Dean Jackson 2017-03-16 17:51:51 PDT

Committed r214086: <http://trac.webkit.org/changeset/214086>

Comment 7 Dean Jackson 2017-03-16 17:52:44 PDT

Comment on attachment 304728 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=304728&action=review

>> Source/WebCore/html/canvas/WebGL2RenderingContext.cpp:1782
>> +    if (maxIndex) {
> 
> You could early return here: if (!maxIndex) return false;

done.

>> Source/WebCore/html/canvas/WebGLRenderingContext.cpp:757
>> +    std::optional<unsigned> maxIndex = elementArrayBuffer->getCachedMaxIndex(type);
> 
> Why am I seeing all this code twice?

Blame myles :)

I think we could share most of it.