[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
eric at webkit.org
eric at webkit.org
Thu Apr 8 00:59:03 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 0200cbd34d43fb7eb3c9a3024f7245464df76566
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sat Jan 9 01:02:53 2010 +0000
2010-01-08 Kenneth Russell <kbr at google.com>
Reviewed by Dimitri Glazkov.
Passing array that is too large to set method of WebGLArrays does not throw an exception
https://bugs.webkit.org/show_bug.cgi?id=33352
Added needed range checks to JSC and V8 custom bindings. Expanded
preexisting test suite for WebGLArrays and updated its expected
results. Tested in WebKit and Chromium.
* fast/canvas/webgl/array-set-out-of-bounds-expected.txt: Added.
* fast/canvas/webgl/array-set-out-of-bounds.html: Added.
* fast/canvas/webgl/array-unit-tests-expected.txt:
* fast/canvas/webgl/array-unit-tests.html:
2010-01-08 Kenneth Russell <kbr at google.com>
Reviewed by Dimitri Glazkov.
Passing array that is too large to set method of WebGLArrays does not throw an exception
https://bugs.webkit.org/show_bug.cgi?id=33352
Added needed range checks to JSC and V8 custom bindings. Expanded
preexisting test suite for WebGLArrays and updated its expected
results. Tested in WebKit and Chromium.
Test: fast/canvas/webgl/array-set-out-of-bounds.html
* bindings/js/JSWebGLArrayHelper.h:
(WebCore::setWebGLArrayFromArray):
* bindings/v8/custom/V8WebGLArrayCustom.h:
(WebCore::setWebGLArrayFromArray):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53026 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 6120e10..3e48332 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,19 @@
+2010-01-08 Kenneth Russell <kbr at google.com>
+
+ Reviewed by Dimitri Glazkov.
+
+ Passing array that is too large to set method of WebGLArrays does not throw an exception
+ https://bugs.webkit.org/show_bug.cgi?id=33352
+
+ Added needed range checks to JSC and V8 custom bindings. Expanded
+ preexisting test suite for WebGLArrays and updated its expected
+ results. Tested in WebKit and Chromium.
+
+ * fast/canvas/webgl/array-set-out-of-bounds-expected.txt: Added.
+ * fast/canvas/webgl/array-set-out-of-bounds.html: Added.
+ * fast/canvas/webgl/array-unit-tests-expected.txt:
+ * fast/canvas/webgl/array-unit-tests.html:
+
2010-01-08 Eric Seidel <eric at webkit.org>
Reviewed by Alexey Proskuryakov.
diff --git a/LayoutTests/fast/canvas/webgl/array-set-out-of-bounds-expected.txt b/LayoutTests/fast/canvas/webgl/array-set-out-of-bounds-expected.txt
new file mode 100644
index 0000000..9977c91
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/array-set-out-of-bounds-expected.txt
@@ -0,0 +1,30 @@
+Verifies that attempting to set out-of-bounds elements of a WebGLArray from a JavaScript array throws an exception
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+Regression test for https://bugs.webkit.org/show_bug.cgi?id=33352 : Passing array that is too large to set method of WebGLArrays does not throw an exception
+Testing WebGLByteArray
+PASS webGLArray.set([4, 5], 1) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+PASS webGLArray.set([4, 5, 6]) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+Testing WebGLUnsignedByteArray
+PASS webGLArray.set([4, 5], 1) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+PASS webGLArray.set([4, 5, 6]) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+Testing WebGLShortArray
+PASS webGLArray.set([4, 5], 1) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+PASS webGLArray.set([4, 5, 6]) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+Testing WebGLUnsignedShortArray
+PASS webGLArray.set([4, 5], 1) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+PASS webGLArray.set([4, 5, 6]) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+Testing WebGLIntArray
+PASS webGLArray.set([4, 5], 1) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+PASS webGLArray.set([4, 5, 6]) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+Testing WebGLUnsignedIntArray
+PASS webGLArray.set([4, 5], 1) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+PASS webGLArray.set([4, 5, 6]) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+Testing WebGLFloatArray
+PASS webGLArray.set([4, 5], 1) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+PASS webGLArray.set([4, 5, 6]) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/canvas/webgl/array-set-out-of-bounds.html b/LayoutTests/fast/canvas/webgl/array-set-out-of-bounds.html
new file mode 100644
index 0000000..a501af8
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/array-set-out-of-bounds.html
@@ -0,0 +1,42 @@
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css"/>
+<script src="../../js/resources/js-test-pre.js"></script>
+<script src="resources/webgl-test.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<script>
+
+description("Verifies that attempting to set out-of-bounds elements of a WebGLArray from a JavaScript array throws an exception");
+
+debug('Regression test for <a href="https://bugs.webkit.org/show_bug.cgi?id=33352">https://bugs.webkit.org/show_bug.cgi?id=33352</a> : <code>Passing array that is too large to set method of WebGLArrays does not throw an exception</code>');
+
+// Global scope so shouldThrow can see it
+var webGLArray;
+
+function negativeTestSet(typeName) {
+ var type = window[typeName];
+ webGLArray = new type([2, 3]);
+ debug('Testing ' + typeName);
+ shouldThrow("webGLArray.set([4, 5], 1)");
+ shouldThrow("webGLArray.set([4, 5, 6])");
+}
+
+negativeTestSet("WebGLByteArray");
+negativeTestSet("WebGLUnsignedByteArray");
+negativeTestSet("WebGLShortArray");
+negativeTestSet("WebGLUnsignedShortArray");
+negativeTestSet("WebGLIntArray");
+negativeTestSet("WebGLUnsignedIntArray");
+negativeTestSet("WebGLFloatArray");
+
+successfullyParsed = true;
+
+</script>
+
+<script src="../../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt b/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt
index 15bfa43..e297d1c 100644
--- a/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt
+++ b/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt
@@ -10,6 +10,7 @@ PASS test WebGLByteArray OffsetsAndSizes
PASS test WebGLByteArray SetFromWebGLArray
PASS negativeTest WebGLByteArray SetFromWebGLArray
PASS test WebGLByteArray SetFromArray
+PASS negativeTest WebGLByteArray SetFromArray
PASS test WebGLByteArray Slice
PASS negativeTest WebGLByteArray Slice
PASS test WebGLByteArray BoundaryConditions(-128, -128, 127, 127)
@@ -21,6 +22,7 @@ PASS test WebGLFloatArray OffsetsAndSizes
PASS test WebGLFloatArray SetFromWebGLArray
PASS negativeTest WebGLFloatArray SetFromWebGLArray
PASS test WebGLFloatArray SetFromArray
+PASS negativeTest WebGLFloatArray SetFromArray
PASS test WebGLFloatArray Slice
PASS negativeTest WebGLFloatArray Slice
PASS test WebGLFloatArray BoundaryConditions(-500.5, -500.5, 500.5, 500.5)
@@ -32,6 +34,7 @@ PASS test WebGLIntArray OffsetsAndSizes
PASS test WebGLIntArray SetFromWebGLArray
PASS negativeTest WebGLIntArray SetFromWebGLArray
PASS test WebGLIntArray SetFromArray
+PASS negativeTest WebGLIntArray SetFromArray
PASS test WebGLIntArray Slice
PASS negativeTest WebGLIntArray Slice
PASS test WebGLIntArray BoundaryConditions(-2147483648, -2147483648, 2147483647, 2147483647)
@@ -43,6 +46,7 @@ PASS test WebGLShortArray OffsetsAndSizes
PASS test WebGLShortArray SetFromWebGLArray
PASS negativeTest WebGLShortArray SetFromWebGLArray
PASS test WebGLShortArray SetFromArray
+PASS negativeTest WebGLShortArray SetFromArray
PASS test WebGLShortArray Slice
PASS negativeTest WebGLShortArray Slice
PASS test WebGLShortArray BoundaryConditions(-32768, -32768, 32767, 32767)
@@ -54,6 +58,7 @@ PASS test WebGLUnsignedByteArray OffsetsAndSizes
PASS test WebGLUnsignedByteArray SetFromWebGLArray
PASS negativeTest WebGLUnsignedByteArray SetFromWebGLArray
PASS test WebGLUnsignedByteArray SetFromArray
+PASS negativeTest WebGLUnsignedByteArray SetFromArray
PASS test WebGLUnsignedByteArray Slice
PASS negativeTest WebGLUnsignedByteArray Slice
PASS test WebGLUnsignedByteArray BoundaryConditions(0, 0, 255, 255)
@@ -65,6 +70,7 @@ PASS test WebGLUnsignedIntArray OffsetsAndSizes
PASS test WebGLUnsignedIntArray SetFromWebGLArray
PASS negativeTest WebGLUnsignedIntArray SetFromWebGLArray
PASS test WebGLUnsignedIntArray SetFromArray
+PASS negativeTest WebGLUnsignedIntArray SetFromArray
PASS test WebGLUnsignedIntArray Slice
PASS negativeTest WebGLUnsignedIntArray Slice
PASS test WebGLUnsignedIntArray BoundaryConditions(0, 0, 4294967295, 4294967295)
@@ -76,6 +82,7 @@ PASS test WebGLUnsignedShortArray OffsetsAndSizes
PASS test WebGLUnsignedShortArray SetFromWebGLArray
PASS negativeTest WebGLUnsignedShortArray SetFromWebGLArray
PASS test WebGLUnsignedShortArray SetFromArray
+PASS negativeTest WebGLUnsignedShortArray SetFromArray
PASS test WebGLUnsignedShortArray Slice
PASS negativeTest WebGLUnsignedShortArray Slice
PASS test WebGLUnsignedShortArray BoundaryConditions(0, 0, 65535, 65535)
diff --git a/LayoutTests/fast/canvas/webgl/array-unit-tests.html b/LayoutTests/fast/canvas/webgl/array-unit-tests.html
index a33f89e..6aeac5e 100644
--- a/LayoutTests/fast/canvas/webgl/array-unit-tests.html
+++ b/LayoutTests/fast/canvas/webgl/array-unit-tests.html
@@ -32,7 +32,7 @@ function fail(str) {
if (str)
exc = currentlyRunning + ': ' + str;
else
- exc = str;
+ exc = currentlyRunning;
testFailed(exc);
}
@@ -284,6 +284,28 @@ function testSetFromArray(type, name) {
}
}
+function negativeTestSetFromArray(type, name) {
+ running('negativeTest ' + name + ' SetFromArray');
+ try {
+ var array = new type([2, 3]);
+ try {
+ array.set([4, 5], 1);
+ fail();
+ return;
+ } catch (e) {
+ }
+ try {
+ array.set([4, 5, 6]);
+ fail();
+ return;
+ } catch (e) {
+ }
+ pass();
+ } catch (e) {
+ fail(e);
+ }
+}
+
function testSlice(type, name) {
running('test ' + name + ' Slice');
try {
@@ -430,6 +452,7 @@ function runTests() {
testSetFromWebGLArray(type, name);
negativeTestSetFromWebGLArray(type, name);
testSetFromArray(type, name);
+ negativeTestSetFromArray(type, name);
testSlice(type, name);
negativeTestSlice(type, name);
testBoundaryConditions(type,
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 838a239..c02896f 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2010-01-08 Kenneth Russell <kbr at google.com>
+
+ Reviewed by Dimitri Glazkov.
+
+ Passing array that is too large to set method of WebGLArrays does not throw an exception
+ https://bugs.webkit.org/show_bug.cgi?id=33352
+
+ Added needed range checks to JSC and V8 custom bindings. Expanded
+ preexisting test suite for WebGLArrays and updated its expected
+ results. Tested in WebKit and Chromium.
+
+ Test: fast/canvas/webgl/array-set-out-of-bounds.html
+
+ * bindings/js/JSWebGLArrayHelper.h:
+ (WebCore::setWebGLArrayFromArray):
+ * bindings/v8/custom/V8WebGLArrayCustom.h:
+ (WebCore::setWebGLArrayFromArray):
+
2010-01-08 Alexey Proskuryakov <ap at apple.com>
Reviewed by Dan Bernstein.
diff --git a/WebCore/bindings/js/JSWebGLArrayHelper.h b/WebCore/bindings/js/JSWebGLArrayHelper.h
index f538cce..3326d76 100644
--- a/WebCore/bindings/js/JSWebGLArrayHelper.h
+++ b/WebCore/bindings/js/JSWebGLArrayHelper.h
@@ -27,6 +27,8 @@
#ifndef JSWebGLArrayHelper_h
#define JSWebGLArrayHelper_h
+#include "ExceptionCode.h"
+#include "JSDOMBinding.h"
#include <interpreter/CallFrame.h>
#include <runtime/ArgList.h>
#include <runtime/Error.h>
@@ -45,11 +47,15 @@ JSC::JSValue setWebGLArrayFromArray(JSC::ExecState* exec, T* webGLArray, JSC::Ar
if (args.size() == 2)
offset = args.at(1).toInt32(exec);
int length = array->get(exec, JSC::Identifier(exec, "length")).toInt32(exec);
- for (int i = 0; i < length; i++) {
- JSC::JSValue v = array->get(exec, i);
- if (exec->hadException())
- return JSC::jsUndefined();
- webGLArray->set(i + offset, v.toNumber(exec));
+ if (offset + length > webGLArray->length())
+ setDOMException(exec, INDEX_SIZE_ERR);
+ else {
+ for (int i = 0; i < length; i++) {
+ JSC::JSValue v = array->get(exec, i);
+ if (exec->hadException())
+ return JSC::jsUndefined();
+ webGLArray->set(i + offset, v.toNumber(exec));
+ }
}
return JSC::jsUndefined();
diff --git a/WebCore/bindings/v8/custom/V8WebGLArrayCustom.h b/WebCore/bindings/v8/custom/V8WebGLArrayCustom.h
index 77850f5..a9df7c7 100644
--- a/WebCore/bindings/v8/custom/V8WebGLArrayCustom.h
+++ b/WebCore/bindings/v8/custom/V8WebGLArrayCustom.h
@@ -174,9 +174,11 @@ v8::Handle<v8::Value> setWebGLArrayFromArray(T* webGLArray, const v8::Arguments&
if (args.Length() == 2)
offset = toInt32(args[1]);
uint32_t length = toInt32(array->Get(v8::String::New("length")));
- for (uint32_t i = 0; i < length; i++) {
- webGLArray->set(offset + i, array->Get(v8::Integer::New(i))->NumberValue());
- }
+ if (offset + length > webGLArray->length())
+ V8Proxy::setDOMException(INDEX_SIZE_ERR);
+ else
+ for (uint32_t i = 0; i < length; i++)
+ webGLArray->set(offset + i, array->Get(v8::Integer::New(i))->NumberValue());
}
return v8::Undefined();
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list