[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.17-1283-gcf603cf

eric at webkit.org eric at webkit.org
Tue Jan 5 23:54:05 UTC 2010 

The following commit has been merged in the webkit-1.1 branch:
commit 5a9f92da2447fb2168b63a5a309dcc97f8e6d406
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Dec 18 19:43:18 2009 +0000

    2009-12-18  Kenneth Russell  <kbr at google.com>
    
            Reviewed by Darin Fisher.
    
            Index validation for drawElements examines too many indices
            https://bugs.webkit.org/show_bug.cgi?id=32692
    
            * fast/canvas/webgl/bug-32692-expected.txt: Added.
            * fast/canvas/webgl/bug-32692.html: Added.
    2009-12-18  Kenneth Russell  <kbr at google.com>
    
            Reviewed by Darin Fisher.
    
            Index validation for drawElements examines too many indices
            https://bugs.webkit.org/show_bug.cgi?id=32692
    
            Test: fast/canvas/webgl/bug-32692.html
    
            * html/canvas/WebGLRenderingContext.cpp:
            (WebCore::WebGLRenderingContext::validateIndexArrayPrecise):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@52327 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 985032a..aaa8c69 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2009-12-18  Kenneth Russell  <kbr at google.com>
+
+        Reviewed by Darin Fisher.
+
+        Index validation for drawElements examines too many indices
+        https://bugs.webkit.org/show_bug.cgi?id=32692
+
+        * fast/canvas/webgl/bug-32692-expected.txt: Added.
+        * fast/canvas/webgl/bug-32692.html: Added.
+
 2009-12-18  Gustavo Noronha Silva  <gustavo.noronha at collabora.co.uk>
 
         Rubber-stamped by Xan Lopez.
diff --git a/LayoutTests/fast/canvas/webgl/bug-32692-expected.txt b/LayoutTests/fast/canvas/webgl/bug-32692-expected.txt
new file mode 100644
index 0000000..87fe811
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/bug-32692-expected.txt
@@ -0,0 +1,13 @@
+Regression test for https://bugs.webkit.org/show_bug.cgi?id=32692 : Index validation for drawElements examines too many indices
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+Test out of range indices
+PASS context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 2) is undefined.
+PASS context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 0) threw exception GL error 1282 in drawElements.
+PASS context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 4) threw exception GL error 1282 in drawElements.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/canvas/webgl/bug-32692.html b/LayoutTests/fast/canvas/webgl/bug-32692.html
new file mode 100644
index 0000000..9b31abd
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/bug-32692.html
@@ -0,0 +1,40 @@
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css"/>
+<script src="../../js/resources/js-test-pre.js"></script>
+<script src="resources/webgl-test.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<script>
+description('Regression test for <a href="https://bugs.webkit.org/show_bug.cgi?id=32692">https://bugs.webkit.org/show_bug.cgi?id=32692</a> : <code>Index validation for drawElements examines too many indices</code>');
+
+var context = create3DDebugContext();
+var program = loadStandardProgram(context);
+
+context.useProgram(program);
+var vertexObject = context.createBuffer();
+context.enableVertexAttribArray(0);
+context.bindBuffer(context.ARRAY_BUFFER, vertexObject);
+// 4 vertices -> 2 triangles
+context.bufferData(context.ARRAY_BUFFER, new WebGLFloatArray([ 0,0,0, 0,1,0, 1,0,0, 1,1,0 ]), context.STATIC_DRAW);
+context.vertexAttribPointer(0, 3, context.FLOAT, false, 0, 0);
+
+var indexObject = context.createBuffer();
+
+debug("Test out of range indices")
+context.bindBuffer(context.ELEMENT_ARRAY_BUFFER, indexObject);
+context.bufferData(context.ELEMENT_ARRAY_BUFFER, new WebGLUnsignedShortArray([ 10000, 0, 1, 2, 3, 10000 ]), context.STATIC_DRAW);
+shouldBeUndefined("context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 2)");
+shouldThrow("context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 0)");
+shouldThrow("context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 4)");
+
+debug("")
+successfullyParsed = true;
+</script>
+
+<script src="../../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index f97fe94..f8f291d 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2009-12-18  Kenneth Russell  <kbr at google.com>
+
+        Reviewed by Darin Fisher.
+
+        Index validation for drawElements examines too many indices
+        https://bugs.webkit.org/show_bug.cgi?id=32692
+
+        Test: fast/canvas/webgl/bug-32692.html
+
+        * html/canvas/WebGLRenderingContext.cpp:
+        (WebCore::WebGLRenderingContext::validateIndexArrayPrecise):
+
 2009-12-18  Sam Weinig  <sam at webkit.org>
 
         Reviewed by Anders Carlsson.
diff --git a/WebCore/html/canvas/WebGLRenderingContext.cpp b/WebCore/html/canvas/WebGLRenderingContext.cpp
index bb8e40a..5b8a326 100644
--- a/WebCore/html/canvas/WebGLRenderingContext.cpp
+++ b/WebCore/html/canvas/WebGLRenderingContext.cpp
@@ -647,31 +647,25 @@ bool WebGLRenderingContext::validateIndexArrayConservative(unsigned long type, l
 
 bool WebGLRenderingContext::validateIndexArrayPrecise(unsigned long count, unsigned long type, long offset, long& numElementsRequired)
 {
-    // FIXME: "count" should need to be used in the computation below
-    UNUSED_PARAM(count);
     long lastIndex = -1;
 
     if (!m_boundElementArrayBuffer)
         return false;
-        
-    // The GL spec says that count must be "greater
-    
+
     unsigned long uoffset = static_cast<unsigned long>(offset);
-    
+    unsigned long n = count;
+
     if (type == GraphicsContext3D::UNSIGNED_SHORT) {
         // Make uoffset an element offset.
         uoffset /= 2;
-    
-        unsigned long n = m_boundElementArrayBuffer->byteLength(GraphicsContext3D::ELEMENT_ARRAY_BUFFER) / 2;
-        const unsigned short* p = static_cast<const unsigned short*>(m_boundElementArrayBuffer->elementArrayBuffer()->data());
+        const unsigned short* p = static_cast<const unsigned short*>(m_boundElementArrayBuffer->elementArrayBuffer()->data()) + uoffset;
         while (n-- > 0) {
             if (*p > lastIndex)
                 lastIndex = *p;
             ++p;
         }
     } else if (type == GraphicsContext3D::UNSIGNED_BYTE) {
-        unsigned long n = m_boundElementArrayBuffer->byteLength(GraphicsContext3D::ELEMENT_ARRAY_BUFFER);
-        const unsigned char* p = static_cast<const unsigned char*>(m_boundElementArrayBuffer->elementArrayBuffer()->data());
+        const unsigned char* p = static_cast<const unsigned char*>(m_boundElementArrayBuffer->elementArrayBuffer()->data()) + uoffset;
         while (n-- > 0) {
             if (*p > lastIndex)
                 lastIndex = *p;

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list