Bug 911851 - Check WebGL sizeiptr arguments - r=jgilbert
authorBenoit Jacob <bjacob@mozilla.com>
Wed, 04 Sep 2013 08:14:39 -0400
changeset 145447 6326e7096fd8f7e6e0454931e294c85df49c6e7e
parent 145446 49daf6b00b8f3026a649e7225b1c9d6128bb9c58
child 145448 104a75d724dd99220949900c4eb3567f9f4e7c70
push id25213
push userkwierso@gmail.com
push dateWed, 04 Sep 2013 23:18:26 +0000
treeherdermozilla-central@dffedf20a02d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjgilbert
bugs911851
milestone26.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 911851 - Check WebGL sizeiptr arguments - r=jgilbert
content/canvas/src/WebGLContextBuffers.cpp
--- a/content/canvas/src/WebGLContextBuffers.cpp
+++ b/content/canvas/src/WebGLContextBuffers.cpp
@@ -147,16 +147,20 @@ WebGLContext::BufferData(WebGLenum targe
     }
 
     if (size < 0)
         return ErrorInvalidValue("bufferData: negative size");
 
     if (!ValidateBufferUsageEnum(usage, "bufferData: usage"))
         return;
 
+    // careful: WebGLsizeiptr is always 64-bit, but GLsizeiptr is like intptr_t.
+    if (!CheckedInt<GLsizeiptr>(size).isValid())
+        return ErrorOutOfMemory("bufferData: bad size");
+
     WebGLBuffer* boundBuffer = bufferSlot->get();
 
     if (!boundBuffer)
         return ErrorInvalidOperation("bufferData: no buffer bound!");
 
     void* zeroBuffer = calloc(size, 1);
     if (!zeroBuffer)
         return ErrorOutOfMemory("bufferData: out of memory");
@@ -194,16 +198,20 @@ WebGLContext::BufferData(WebGLenum targe
     WebGLRefPtr<WebGLBuffer>* bufferSlot = GetBufferSlotByTarget(target, "bufferData");
 
     if (!bufferSlot) {
         return;
     }
 
     const ArrayBuffer& data = maybeData.Value();
 
+    // careful: data.Length() could conceivably be any size_t, but GLsizeiptr is like intptr_t.
+    if (!CheckedInt<GLsizeiptr>(data.Length()).isValid())
+        return ErrorOutOfMemory("bufferData: bad size");
+
     if (!ValidateBufferUsageEnum(usage, "bufferData: usage"))
         return;
 
     WebGLBuffer* boundBuffer = bufferSlot->get();
 
     if (!boundBuffer)
         return ErrorInvalidOperation("bufferData: no buffer bound!");
 
@@ -239,16 +247,20 @@ WebGLContext::BufferData(WebGLenum targe
     if (!ValidateBufferUsageEnum(usage, "bufferData: usage"))
         return;
 
     WebGLBuffer* boundBuffer = bufferSlot->get();
 
     if (!boundBuffer)
         return ErrorInvalidOperation("bufferData: no buffer bound!");
 
+    // careful: data.Length() could conceivably be any size_t, but GLsizeiptr is like intptr_t.
+    if (!CheckedInt<GLsizeiptr>(data.Length()).isValid())
+        return ErrorOutOfMemory("bufferData: bad size");
+
     InvalidateBufferFetching();
     MakeContextCurrent();
 
     GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
     if (error) {
         GenerateWarning("bufferData generated error %s", ErrorName(error));
         return;
     }