Bug 911850 - BindBufferRange should check for out-of-bounds range - r=jgilbert
authorBenoit Jacob <bjacob@mozilla.com>
Wed, 04 Sep 2013 08:14:37 -0400
changeset 145446 49daf6b00b8f3026a649e7225b1c9d6128bb9c58
parent 145445 e7486d3f5ce818916127b6a92fee5ac20f0be6a4
child 145447 6326e7096fd8f7e6e0454931e294c85df49c6e7e
push id25213
push userkwierso@gmail.com
push dateWed, 04 Sep 2013 23:18:26 +0000
treeherdermozilla-central@dffedf20a02d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjgilbert
bugs911850
milestone26.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 911850 - BindBufferRange should check for out-of-bounds range - r=jgilbert
content/canvas/src/WebGLContextBuffers.cpp
--- a/content/canvas/src/WebGLContextBuffers.cpp
+++ b/content/canvas/src/WebGLContextBuffers.cpp
@@ -108,16 +108,22 @@ WebGLContext::BindBufferRange(WebGLenum 
 
     if (buffer) {
         if (!buffer->Target()) {
             buffer->SetTarget(target);
             buffer->SetHasEverBeenBound(true);
         } else if (target != buffer->Target()) {
             return ErrorInvalidOperation("bindBuffer: buffer already bound to a different target");
         }
+        CheckedInt<WebGLsizeiptr> checked_neededByteLength = CheckedInt<WebGLsizeiptr>(offset) + size;
+        if (!checked_neededByteLength.isValid() ||
+            checked_neededByteLength.value() > buffer->ByteLength())
+        {
+            return ErrorInvalidValue("bindBufferRange: invalid range");
+        }
     }
 
     WebGLRefPtr<WebGLBuffer>* bufferSlot = GetBufferSlotByTarget(target, "bindBuffer");
 
     MOZ_ASSERT(bufferSlot, "GetBufferSlotByTarget(Indexed) mismatch");
 
     *indexedBufferSlot = buffer;
     *bufferSlot = buffer;