summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZhenyao Mo <zmo@google.com>2012-05-07 23:56:47 (GMT)
committerPierre-Antoine LaFayette <plafayet@codeaurora.org>2012-06-13 17:14:17 (GMT)
commitb3a02a0942a0e2c44d23961382145fad6016b2ef (patch)
tree923339aa012b85070ba7855785492a5995968b11
parent8265b3d87b854c03a6bb28ddb7a351b54459cb2a (diff)
vertexAttribPointer needs to reject large negative offsets
https://bugs.webkit.org/show_bug.cgi?id=85117 Reviewed by Kenneth Russell. Source/WebCore: * html/canvas/WebGLRenderingContext.cpp: Use long long for GLsizeiptr and GLintptr (WebCore): (WebCore::WebGLRenderingContext::bufferData): (WebCore::WebGLRenderingContext::bufferSubData): (WebCore::WebGLRenderingContext::drawElements): (WebCore::WebGLRenderingContext::getVertexAttribOffset): (WebCore::WebGLRenderingContext::vertexAttribPointer): * html/canvas/WebGLRenderingContext.h: Ditto (WebGLRenderingContext): * html/canvas/WebGLRenderingContext.idl: Ditto LayoutTests: * fast/canvas/webgl/index-validation-expected.txt: * fast/canvas/webgl/index-validation.html: Add a test case for large negative offset. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@116374 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: I131bfbfa989407509695133879663e826c928575
-rw-r--r--Source/WebCore/ChangeLog18
-rw-r--r--Source/WebCore/html/canvas/WebGLRenderingContext.cpp40
-rw-r--r--Source/WebCore/html/canvas/WebGLRenderingContext.h12
-rw-r--r--Source/WebCore/html/canvas/WebGLRenderingContext.idl12
4 files changed, 50 insertions, 32 deletions
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 257034f..a4f5ae5 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2012-05-04 Zhenyao Mo <zmo@google.com>
+
+ vertexAttribPointer needs to reject large negative offsets
+ https://bugs.webkit.org/show_bug.cgi?id=85117
+
+ Reviewed by Kenneth Russell.
+
+ * html/canvas/WebGLRenderingContext.cpp: Use long long for GLsizeiptr and GLintptr
+ (WebCore):
+ (WebCore::WebGLRenderingContext::bufferData):
+ (WebCore::WebGLRenderingContext::bufferSubData):
+ (WebCore::WebGLRenderingContext::drawElements):
+ (WebCore::WebGLRenderingContext::getVertexAttribOffset):
+ (WebCore::WebGLRenderingContext::vertexAttribPointer):
+ * html/canvas/WebGLRenderingContext.h: Ditto
+ (WebGLRenderingContext):
+ * html/canvas/WebGLRenderingContext.idl: Ditto
+
2012-01-31 Raymond Liu <raymond.liu@intel.com>
Dynamic allocate AudioBus with required number of channels for AudioNodeInput
diff --git a/Source/WebCore/html/canvas/WebGLRenderingContext.cpp b/Source/WebCore/html/canvas/WebGLRenderingContext.cpp
index 444df4d..457a2b1 100644
--- a/Source/WebCore/html/canvas/WebGLRenderingContext.cpp
+++ b/Source/WebCore/html/canvas/WebGLRenderingContext.cpp
@@ -836,7 +836,7 @@ void WebGLRenderingContext::blendFuncSeparate(GC3Denum srcRGB, GC3Denum dstRGB,
cleanupAfterGraphicsCall(false);
}
-void WebGLRenderingContext::bufferData(GC3Denum target, GC3Dsizeiptr size, GC3Denum usage, ExceptionCode& ec)
+void WebGLRenderingContext::bufferData(GC3Denum target, long long size, GC3Denum usage, ExceptionCode& ec)
{
UNUSED_PARAM(ec);
if (isContextLost())
@@ -849,13 +849,13 @@ void WebGLRenderingContext::bufferData(GC3Denum target, GC3Dsizeiptr size, GC3De
return;
}
if (!isErrorGeneratedOnOutOfBoundsAccesses()) {
- if (!buffer->associateBufferData(size)) {
+ if (!buffer->associateBufferData(static_cast<GC3Dsizeiptr>(size))) {
m_context->synthesizeGLError(GraphicsContext3D::INVALID_VALUE);
return;
}
}
- m_context->bufferData(target, size, usage);
+ m_context->bufferData(target, static_cast<GC3Dsizeiptr>(size), usage);
cleanupAfterGraphicsCall(false);
}
@@ -909,7 +909,7 @@ void WebGLRenderingContext::bufferData(GC3Denum target, ArrayBufferView* data, G
cleanupAfterGraphicsCall(false);
}
-void WebGLRenderingContext::bufferSubData(GC3Denum target, GC3Dintptr offset, ArrayBuffer* data, ExceptionCode& ec)
+void WebGLRenderingContext::bufferSubData(GC3Denum target, long long offset, ArrayBuffer* data, ExceptionCode& ec)
{
UNUSED_PARAM(ec);
if (isContextLost())
@@ -924,17 +924,17 @@ void WebGLRenderingContext::bufferSubData(GC3Denum target, GC3Dintptr offset, Ar
if (!data)
return;
if (!isErrorGeneratedOnOutOfBoundsAccesses()) {
- if (!buffer->associateBufferSubData(offset, data)) {
+ if (!buffer->associateBufferSubData(static_cast<GC3Dintptr>(offset), data)) {
m_context->synthesizeGLError(GraphicsContext3D::INVALID_VALUE);
return;
}
}
- m_context->bufferSubData(target, offset, data->byteLength(), data->data());
+ m_context->bufferSubData(target, static_cast<GC3Dintptr>(offset), data->byteLength(), data->data());
cleanupAfterGraphicsCall(false);
}
-void WebGLRenderingContext::bufferSubData(GC3Denum target, GC3Dintptr offset, ArrayBufferView* data, ExceptionCode& ec)
+void WebGLRenderingContext::bufferSubData(GC3Denum target, long long offset, ArrayBufferView* data, ExceptionCode& ec)
{
UNUSED_PARAM(ec);
if (isContextLost())
@@ -949,13 +949,13 @@ void WebGLRenderingContext::bufferSubData(GC3Denum target, GC3Dintptr offset, Ar
if (!data)
return;
if (!isErrorGeneratedOnOutOfBoundsAccesses()) {
- if (!buffer->associateBufferSubData(offset, data)) {
+ if (!buffer->associateBufferSubData(static_cast<GC3Dintptr>(offset), data)) {
m_context->synthesizeGLError(GraphicsContext3D::INVALID_VALUE);
return;
}
}
- m_context->bufferSubData(target, offset, data->byteLength(), data->baseAddress());
+ m_context->bufferSubData(target, static_cast<GC3Dintptr>(offset), data->byteLength(), data->baseAddress());
cleanupAfterGraphicsCall(false);
}
@@ -1646,7 +1646,7 @@ void WebGLRenderingContext::drawArrays(GC3Denum mode, GC3Dint first, GC3Dsizei c
cleanupAfterGraphicsCall(true);
}
-void WebGLRenderingContext::drawElements(GC3Denum mode, GC3Dsizei count, GC3Denum type, GC3Dintptr offset, ExceptionCode& ec)
+void WebGLRenderingContext::drawElements(GC3Denum mode, GC3Dsizei count, GC3Denum type, long long offset, ExceptionCode& ec)
{
UNUSED_PARAM(ec);
@@ -1681,14 +1681,14 @@ void WebGLRenderingContext::drawElements(GC3Denum mode, GC3Dsizei count, GC3Denu
int numElements = 0;
if (!isErrorGeneratedOnOutOfBoundsAccesses()) {
// Ensure we have a valid rendering state
- if (!validateElementArraySize(count, type, offset)) {
+ if (!validateElementArraySize(count, type, static_cast<GC3Dintptr>(offset))) {
m_context->synthesizeGLError(GraphicsContext3D::INVALID_OPERATION);
return;
}
if (!count)
return;
if (!validateIndexArrayConservative(type, numElements) || !validateRenderingState(numElements)) {
- if (!validateIndexArrayPrecise(count, type, offset, numElements) || !validateRenderingState(numElements)) {
+ if (!validateIndexArrayPrecise(count, type, static_cast<GC3Dintptr>(offset), numElements) || !validateRenderingState(numElements)) {
m_context->synthesizeGLError(GraphicsContext3D::INVALID_OPERATION);
return;
}
@@ -1709,12 +1709,12 @@ void WebGLRenderingContext::drawElements(GC3Denum mode, GC3Dsizei count, GC3Denu
bool vertexAttrib0Simulated = false;
if (!isGLES2Compliant()) {
if (!numElements)
- validateIndexArrayPrecise(count, type, offset, numElements);
+ validateIndexArrayPrecise(count, type, static_cast<GC3Dintptr>(offset), numElements);
vertexAttrib0Simulated = simulateVertexAttrib0(numElements);
}
if (!isGLES2NPOTStrict())
handleNPOTTextures(true);
- m_context->drawElements(mode, count, type, offset);
+ m_context->drawElements(mode, count, type, static_cast<GC3Dintptr>(offset));
if (!isGLES2Compliant() && vertexAttrib0Simulated)
restoreStatesAfterVertexAttrib0Simulation();
if (!isGLES2NPOTStrict())
@@ -2688,13 +2688,13 @@ WebGLGetInfo WebGLRenderingContext::getVertexAttrib(GC3Duint index, GC3Denum pna
}
}
-GC3Dsizeiptr WebGLRenderingContext::getVertexAttribOffset(GC3Duint index, GC3Denum pname)
+long long WebGLRenderingContext::getVertexAttribOffset(GC3Duint index, GC3Denum pname)
{
if (isContextLost())
return 0;
GC3Dsizeiptr result = m_context->getVertexAttribOffset(index, pname);
cleanupAfterGraphicsCall(false);
- return result;
+ return static_cast<long long>(result);
}
void WebGLRenderingContext::hint(GC3Denum target, GC3Denum mode)
@@ -3935,7 +3935,7 @@ void WebGLRenderingContext::vertexAttrib4fv(GC3Duint index, GC3Dfloat* v, GC3Dsi
vertexAttribfvImpl(index, v, size, 4);
}
-void WebGLRenderingContext::vertexAttribPointer(GC3Duint index, GC3Dint size, GC3Denum type, GC3Dboolean normalized, GC3Dsizei stride, GC3Dintptr offset, ExceptionCode& ec)
+void WebGLRenderingContext::vertexAttribPointer(GC3Duint index, GC3Dint size, GC3Denum type, GC3Dboolean normalized, GC3Dsizei stride, long long offset, ExceptionCode& ec)
{
UNUSED_PARAM(ec);
if (isContextLost())
@@ -3969,7 +3969,7 @@ void WebGLRenderingContext::vertexAttribPointer(GC3Duint index, GC3Dint size, GC
m_context->synthesizeGLError(GraphicsContext3D::INVALID_ENUM);
return;
}
- if ((stride % typeSize) || (offset % typeSize)) {
+ if ((stride % typeSize) || (static_cast<GC3Dintptr>(offset) % typeSize)) {
m_context->synthesizeGLError(GraphicsContext3D::INVALID_OPERATION);
return;
}
@@ -3985,8 +3985,8 @@ void WebGLRenderingContext::vertexAttribPointer(GC3Duint index, GC3Dint size, GC
state.normalized = normalized;
state.stride = validatedStride;
state.originalStride = stride;
- state.offset = offset;
- m_context->vertexAttribPointer(index, size, type, normalized, stride, offset);
+ state.offset = static_cast<GC3Dintptr>(offset);
+ m_context->vertexAttribPointer(index, size, type, normalized, stride, static_cast<GC3Dintptr>(offset));
cleanupAfterGraphicsCall(false);
}
diff --git a/Source/WebCore/html/canvas/WebGLRenderingContext.h b/Source/WebCore/html/canvas/WebGLRenderingContext.h
index 4923ce5..a3d3d81 100644
--- a/Source/WebCore/html/canvas/WebGLRenderingContext.h
+++ b/Source/WebCore/html/canvas/WebGLRenderingContext.h
@@ -89,11 +89,11 @@ public:
void blendFunc(GC3Denum sfactor, GC3Denum dfactor);
void blendFuncSeparate(GC3Denum srcRGB, GC3Denum dstRGB, GC3Denum srcAlpha, GC3Denum dstAlpha);
- void bufferData(GC3Denum target, GC3Dsizeiptr size, GC3Denum usage, ExceptionCode&);
+ void bufferData(GC3Denum target, long long size, GC3Denum usage, ExceptionCode&);
void bufferData(GC3Denum target, ArrayBuffer* data, GC3Denum usage, ExceptionCode&);
void bufferData(GC3Denum target, ArrayBufferView* data, GC3Denum usage, ExceptionCode&);
- void bufferSubData(GC3Denum target, GC3Dintptr offset, ArrayBuffer* data, ExceptionCode&);
- void bufferSubData(GC3Denum target, GC3Dintptr offset, ArrayBufferView* data, ExceptionCode&);
+ void bufferSubData(GC3Denum target, long long offset, ArrayBuffer* data, ExceptionCode&);
+ void bufferSubData(GC3Denum target, long long offset, ArrayBufferView* data, ExceptionCode&);
GC3Denum checkFramebufferStatus(GC3Denum target);
void clear(GC3Dbitfield mask);
@@ -136,7 +136,7 @@ public:
void disable(GC3Denum cap);
void disableVertexAttribArray(GC3Duint index, ExceptionCode&);
void drawArrays(GC3Denum mode, GC3Dint first, GC3Dsizei count, ExceptionCode&);
- void drawElements(GC3Denum mode, GC3Dsizei count, GC3Denum type, GC3Dintptr offset, ExceptionCode&);
+ void drawElements(GC3Denum mode, GC3Dsizei count, GC3Denum type, long long offset, ExceptionCode&);
void enable(GC3Denum cap);
void enableVertexAttribArray(GC3Duint index, ExceptionCode&);
@@ -172,7 +172,7 @@ public:
WebGLGetInfo getUniform(WebGLProgram*, const WebGLUniformLocation*, ExceptionCode&);
PassRefPtr<WebGLUniformLocation> getUniformLocation(WebGLProgram*, const String&, ExceptionCode&);
WebGLGetInfo getVertexAttrib(GC3Duint index, GC3Denum pname, ExceptionCode&);
- GC3Dsizeiptr getVertexAttribOffset(GC3Duint index, GC3Denum pname);
+ long long getVertexAttribOffset(GC3Duint index, GC3Denum pname);
void hint(GC3Denum target, GC3Denum mode);
GC3Dboolean isBuffer(WebGLBuffer*);
@@ -279,7 +279,7 @@ public:
void vertexAttrib4fv(GC3Duint index, Float32Array* values);
void vertexAttrib4fv(GC3Duint index, GC3Dfloat* values, GC3Dsizei size);
void vertexAttribPointer(GC3Duint index, GC3Dint size, GC3Denum type, GC3Dboolean normalized,
- GC3Dsizei stride, GC3Dintptr offset, ExceptionCode&);
+ GC3Dsizei stride, long long offset, ExceptionCode&);
void viewport(GC3Dint x, GC3Dint y, GC3Dsizei width, GC3Dsizei height);
diff --git a/Source/WebCore/html/canvas/WebGLRenderingContext.idl b/Source/WebCore/html/canvas/WebGLRenderingContext.idl
index 4ae6f41..0a22c6d 100644
--- a/Source/WebCore/html/canvas/WebGLRenderingContext.idl
+++ b/Source/WebCore/html/canvas/WebGLRenderingContext.idl
@@ -469,9 +469,9 @@ module html {
[StrictTypeChecking] void blendFuncSeparate(in unsigned long srcRGB, in unsigned long dstRGB, in unsigned long srcAlpha, in unsigned long dstAlpha);
[StrictTypeChecking] void bufferData(in unsigned long target, in ArrayBuffer data, in unsigned long usage) raises (DOMException);
[StrictTypeChecking] void bufferData(in unsigned long target, in ArrayBufferView data, in unsigned long usage) raises (DOMException);
- [StrictTypeChecking] void bufferData(in unsigned long target, in long size, in unsigned long usage) raises (DOMException);
- [StrictTypeChecking] void bufferSubData(in unsigned long target, in long offset, in ArrayBuffer data) raises (DOMException);
- [StrictTypeChecking] void bufferSubData(in unsigned long target, in long offset, in ArrayBufferView data) raises (DOMException);
+ [StrictTypeChecking] void bufferData(in unsigned long target, in long long size, in unsigned long usage) raises (DOMException);
+ [StrictTypeChecking] void bufferSubData(in unsigned long target, in long long offset, in ArrayBuffer data) raises (DOMException);
+ [StrictTypeChecking] void bufferSubData(in unsigned long target, in long long offset, in ArrayBufferView data) raises (DOMException);
[StrictTypeChecking] unsigned long checkFramebufferStatus(in unsigned long target);
[StrictTypeChecking] void clear(in unsigned long mask);
@@ -521,7 +521,7 @@ module html {
[StrictTypeChecking] void disable(in unsigned long cap);
[StrictTypeChecking] void disableVertexAttribArray(in unsigned long index) raises(DOMException);
[StrictTypeChecking] void drawArrays(in unsigned long mode, in long first, in long count) raises(DOMException);
- [StrictTypeChecking] void drawElements(in unsigned long mode, in long count, in unsigned long type, in long offset) raises(DOMException);
+ [StrictTypeChecking] void drawElements(in unsigned long mode, in long count, in unsigned long type, in long long offset) raises(DOMException);
[StrictTypeChecking] void enable(in unsigned long cap);
[StrictTypeChecking] void enableVertexAttribArray(in unsigned long index) raises(DOMException);
@@ -582,7 +582,7 @@ module html {
// any getVertexAttrib(in unsigned long index, in unsigned long pname) raises(DOMException);
[StrictTypeChecking, Custom] void getVertexAttrib();
- [StrictTypeChecking] long getVertexAttribOffset(in unsigned long index, in unsigned long pname);
+ [StrictTypeChecking] long long getVertexAttribOffset(in unsigned long index, in unsigned long pname);
[StrictTypeChecking] void hint(in unsigned long target, in unsigned long mode);
[StrictTypeChecking] boolean isBuffer(in WebGLBuffer buffer);
@@ -676,7 +676,7 @@ module html {
[StrictTypeChecking] void vertexAttrib4f(in unsigned long indx, in float x, in float y, in float z, in float w);
[StrictTypeChecking, Custom] void vertexAttrib4fv(in unsigned long indx, in Float32Array values);
[StrictTypeChecking] void vertexAttribPointer(in unsigned long indx, in long size, in unsigned long type, in boolean normalized,
- in long stride, in long offset) raises(DOMException);
+ in long stride, in long long offset) raises(DOMException);
[StrictTypeChecking] void viewport(in long x, in long y, in long width, in long height);
};