OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2009 Google Inc. All rights reserved. | 2 * Copyright (C) 2009 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
6 * met: | 6 * met: |
7 * | 7 * |
8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
57 #include "V8Uint8Array.h" | 57 #include "V8Uint8Array.h" |
58 #include "V8WebGLBuffer.h" | 58 #include "V8WebGLBuffer.h" |
59 #include "V8WebGLFramebuffer.h" | 59 #include "V8WebGLFramebuffer.h" |
60 #include "V8WebGLProgram.h" | 60 #include "V8WebGLProgram.h" |
61 #include "V8WebGLRenderbuffer.h" | 61 #include "V8WebGLRenderbuffer.h" |
62 #include "V8WebGLShader.h" | 62 #include "V8WebGLShader.h" |
63 #include "V8WebGLTexture.h" | 63 #include "V8WebGLTexture.h" |
64 #include "V8WebGLUniformLocation.h" | 64 #include "V8WebGLUniformLocation.h" |
65 #include "V8WebGLVertexArrayObjectOES.h" | 65 #include "V8WebGLVertexArrayObjectOES.h" |
66 #include "WebGLRenderingContext.h" | 66 #include "WebGLRenderingContext.h" |
| 67 #include <limits> |
67 #include <wtf/FastMalloc.h> | 68 #include <wtf/FastMalloc.h> |
68 | 69 |
69 namespace WebCore { | 70 namespace WebCore { |
70 | 71 |
71 // Allocates new storage via tryFastMalloc. | 72 // Allocates new storage via tryFastMalloc. |
72 // Returns NULL if array failed to convert for any reason. | 73 // Returns NULL if array failed to convert for any reason. |
73 static float* jsArrayToFloatArray(v8::Handle<v8::Array> array, uint32_t len) | 74 static float* jsArrayToFloatArray(v8::Handle<v8::Array> array, uint32_t len) |
74 { | 75 { |
75 // Convert the data element-by-element. | 76 // Convert the data element-by-element. |
76 float* data; | 77 float* data; |
77 if (!tryFastMalloc(len * sizeof(float)).getValue(data)) | 78 if (len > std::numeric_limits<uint32_t>::max() / sizeof(float) |
| 79 || !tryFastMalloc(len * sizeof(float)).getValue(data)) |
78 return 0; | 80 return 0; |
79 for (uint32_t i = 0; i < len; i++) { | 81 for (uint32_t i = 0; i < len; i++) { |
80 v8::Local<v8::Value> val = array->Get(v8::Integer::New(i)); | 82 v8::Local<v8::Value> val = array->Get(v8::Integer::New(i)); |
81 if (!val->IsNumber()) { | 83 if (!val->IsNumber()) { |
82 fastFree(data); | 84 fastFree(data); |
83 return 0; | 85 return 0; |
84 } | 86 } |
85 data[i] = toFloat(val); | 87 data[i] = toFloat(val); |
86 } | 88 } |
87 return data; | 89 return data; |
88 } | 90 } |
89 | 91 |
90 // Allocates new storage via tryFastMalloc. | 92 // Allocates new storage via tryFastMalloc. |
91 // Returns NULL if array failed to convert for any reason. | 93 // Returns NULL if array failed to convert for any reason. |
92 static int* jsArrayToIntArray(v8::Handle<v8::Array> array, uint32_t len) | 94 static int* jsArrayToIntArray(v8::Handle<v8::Array> array, uint32_t len) |
93 { | 95 { |
94 // Convert the data element-by-element. | 96 // Convert the data element-by-element. |
95 int* data; | 97 int* data; |
96 if (!tryFastMalloc(len * sizeof(int)).getValue(data)) | 98 if (len > std::numeric_limits<uint32_t>::max() / sizeof(int) |
| 99 || !tryFastMalloc(len * sizeof(int)).getValue(data)) |
97 return 0; | 100 return 0; |
98 for (uint32_t i = 0; i < len; i++) { | 101 for (uint32_t i = 0; i < len; i++) { |
99 v8::Local<v8::Value> val = array->Get(v8::Integer::New(i)); | 102 v8::Local<v8::Value> val = array->Get(v8::Integer::New(i)); |
100 bool ok; | 103 bool ok; |
101 int ival = toInt32(val, ok); | 104 int ival = toInt32(val, ok); |
102 if (!ok) { | 105 if (!ok) { |
103 fastFree(data); | 106 fastFree(data); |
104 return 0; | 107 return 0; |
105 } | 108 } |
106 data[i] = ival; | 109 data[i] = ival; |
(...skipping 667 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
774 | 777 |
775 v8::Handle<v8::Value> V8WebGLRenderingContext::vertexAttrib4fvCallback(const v8:
:Arguments& args) | 778 v8::Handle<v8::Value> V8WebGLRenderingContext::vertexAttrib4fvCallback(const v8:
:Arguments& args) |
776 { | 779 { |
777 INC_STATS("DOM.WebGLRenderingContext.vertexAttrib4fv()"); | 780 INC_STATS("DOM.WebGLRenderingContext.vertexAttrib4fv()"); |
778 return vertexAttribAndUniformHelperf(args, kVertexAttrib4v); | 781 return vertexAttribAndUniformHelperf(args, kVertexAttrib4v); |
779 } | 782 } |
780 | 783 |
781 } // namespace WebCore | 784 } // namespace WebCore |
782 | 785 |
783 #endif // ENABLE(WEBGL) | 786 #endif // ENABLE(WEBGL) |
OLD | NEW |