WebGL: validations and fixes to avoid buffer/texture overflow

Source/modules/webgl/WebGL2RenderingContextBase.cpp

Index: Source/modules/webgl/WebGL2RenderingContextBase.cpp
diff --git a/Source/modules/webgl/WebGL2RenderingContextBase.cpp b/Source/modules/webgl/WebGL2RenderingContextBase.cpp
index a839b1ce73f670ac09edba0b3d0937e1988734ec..1ceda2e91d3dcc01bfa1213e8a38c7a490b51627 100644
--- a/Source/modules/webgl/WebGL2RenderingContextBase.cpp
+++ b/Source/modules/webgl/WebGL2RenderingContextBase.cpp
@@ -106,6 +106,11 @@ void WebGL2RenderingContextBase::copyBufferSubData(GLenum readTarget, GLenum wri
     if (!writeBuffer)
         return;
 
+    if (readOffset + size > readBuffer->getSize() || writeOffset + size > writeBuffer->getSize()) {

[Zhenyao Mo, 2015/09/02 17:59:03]

Overflow detection. We made sure the offset/size fits uint32, so two plus
together could overflow int64.

[yunchao, 2015/09/04 08:22:07]

the function validateValueFitNonNegInt32 makes sure that offset/size are less
than 2 ^ 31 -1, although offset/size are both int64(long long). So offset plus
size will not overflow int64, right? 

[Zhenyao Mo, 2015/09/04 18:36:28]

Not really.  Two uint32 adding won't overflow uint64, but it still can overflow
int64.  Here and below.

+        synthesizeGLError(GL_INVALID_VALUE, "copyBufferSubData", "buffer overflow");
+        return;
+    }
+
     if ((writeBuffer->getInitialTarget() == GL_ELEMENT_ARRAY_BUFFER && readBuffer->getInitialTarget() != GL_ELEMENT_ARRAY_BUFFER)
         || (writeBuffer->getInitialTarget() != GL_ELEMENT_ARRAY_BUFFER && readBuffer->getInitialTarget() == GL_ELEMENT_ARRAY_BUFFER)) {
         synthesizeGLError(GL_INVALID_OPERATION, "copyBufferSubData", "Cannot copy into an element buffer destination from a non-element buffer source");
@@ -132,6 +137,14 @@ void WebGL2RenderingContextBase::getBufferSubData(GLenum target, long long offse
         return;
     }
 
+    WebGLBuffer* buffer = validateBufferDataTarget("getBufferSubData", target);
+    if (!buffer)
+        return;
+    if (offset + returnedData->byteLength() > buffer->getSize()) {

[Zhenyao Mo, 2015/09/02 17:59:03]

Same here. overflow detection.

[yunchao, 2015/09/04 08:22:07]

same here.

+        synthesizeGLError(GL_INVALID_VALUE, "getBufferSubData", "buffer overflow");
+        return;
+    }
+
     void* mappedData = webContext()->mapBufferRange(target, static_cast<GLintptr>(offset), returnedData->byteLength(), GL_MAP_READ_BIT);
 
     if (!mappedData)
@@ -497,10 +510,10 @@ bool WebGL2RenderingContextBase::validateTexSubImage3D(const char* functionName,
     if (!validateTexFuncLevel(functionName, target, level))
         return false;
 
-    if (width - xoffset > tex->getWidth(target, level)
-        || height - yoffset > tex->getHeight(target, level)
-        || depth - zoffset > tex->getDepth(target, level)) {
-        synthesizeGLError(GL_INVALID_OPERATION, functionName, "dimensions out of range");
+    if (width + xoffset > tex->getWidth(target, level)

[Zhenyao Mo, 2015/09/02 17:59:03]

Same here, overflow detection.

[yunchao, 2015/09/04 08:22:07]

Done.

+        || height + yoffset > tex->getHeight(target, level)
+        || depth + zoffset > tex->getDepth(target, level)) {
+        synthesizeGLError(GL_INVALID_VALUE, functionName, "dimensions out of range");
         return false;
     }
 
@@ -597,10 +610,7 @@ void WebGL2RenderingContextBase::texSubImage3D(GLenum target, GLint level, GLint
 
 void WebGL2RenderingContextBase::texSubImage3D(GLenum target, GLint level, GLint xoffset, GLint yoffset, GLint zoffset, GLenum format, GLenum type, HTMLImageElement* image, ExceptionState& exceptionState)
 {
-    if (isContextLost() || !image || !validateTexSubImage3D("texSubImage3D", target, level, xoffset, yoffset, zoffset, format, type, image->width(), image->height(), 1))
-        return;
-
-    if (isContextLost() || !validateHTMLImageElement("texSubImage3D", image, exceptionState))
+    if (isContextLost() || !image || !validateHTMLImageElement("texSubImage3D", image, exceptionState))
         return;
 
     RefPtr<Image> imageForRender = image->cachedImage()->imageForLayoutObject(image->layoutObject());
@@ -1663,6 +1673,11 @@ void WebGL2RenderingContextBase::bindBufferRange(GLenum target, GLuint index, We
         return;
     }
 
+    if (buffer && (offset + size > buffer->getSize())) {

[Zhenyao Mo, 2015/09/02 17:59:03]

Same here, overflow detection.

[yunchao, 2015/09/04 08:22:07]

same here

+        synthesizeGLError(GL_INVALID_VALUE, "bindBufferRange", "buffer overflow");
+        return;
+    }
+
     webContext()->bindBufferRange(target, index, objectOrZero(buffer), static_cast<GLintptr>(offset), static_cast<GLsizeiptr>(size));
 }