Bug 682335 - crash [@ WebGLContext::BufferSubData_array] - r=jrmuizel
authorBenoit Jacob <bjacob@mozilla.com>
Fri, 09 Sep 2011 18:00:20 -0400
changeset 76827 9f664f2ac12c6ee1fc0f92ff06a9f4fbff3895ac
parent 76826 d078623f7875c1b77e0d05c7d541cc23a4b239a7
child 76828 db67bdba5ca815d885a7f0127d6c23acde6524ed
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
reviewersjrmuizel
bugs682335
milestone9.0a1
Bug 682335 - crash [@ WebGLContext::BufferSubData_array] - r=jrmuizel
content/canvas/src/WebGLContext.h
--- a/content/canvas/src/WebGLContext.h
+++ b/content/canvas/src/WebGLContext.h
@@ -808,37 +808,41 @@ public:
     void SetByteLength(GLuint byteLength) { mByteLength = byteLength; }
     void SetTarget(GLenum target) { mTarget = target; }
 
     // element array buffers are the only buffers for which we need to keep a copy of the data.
     // this method assumes that the byte length has previously been set by calling SetByteLength.
     PRBool CopyDataIfElementArray(const void* data) {
         if (mTarget == LOCAL_GL_ELEMENT_ARRAY_BUFFER) {
             mData = realloc(mData, mByteLength);
-            if (!mData)
+            if (!mData) {
+                mByteLength = 0;
                 return PR_FALSE;
+            }
             memcpy(mData, data, mByteLength);
         }
         return PR_TRUE;
     }
 
     // same comments as for CopyElementArrayData
     PRBool ZeroDataIfElementArray() {
         if (mTarget == LOCAL_GL_ELEMENT_ARRAY_BUFFER) {
             mData = realloc(mData, mByteLength);
-            if (!mData)
+            if (!mData) {
+                mByteLength = 0;
                 return PR_FALSE;
+            }
             memset(mData, 0, mByteLength);
         }
         return PR_TRUE;
     }
 
     // same comments as for CopyElementArrayData
     void CopySubDataIfElementArray(GLuint byteOffset, GLuint byteLength, const void* data) {
-        if (mTarget == LOCAL_GL_ELEMENT_ARRAY_BUFFER) {
+        if (mTarget == LOCAL_GL_ELEMENT_ARRAY_BUFFER && mByteLength) {
             memcpy((void*) (size_t(mData)+byteOffset), data, byteLength);
         }
     }
 
     // this method too is only for element array buffers. It returns the maximum value in the part of
     // the buffer starting at given offset, consisting of given count of elements. The type T is the type
     // to interprete the array elements as, must be GLushort or GLubyte.
     template<typename T>