Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(172)

Unified Diff: Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp

Issue 7491067: Merge 92413 (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/782/
Patch Set: Created 9 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp
===================================================================
--- Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp (revision 92502)
+++ Source/WebCore/bindings/v8/custom/V8WebGLRenderingContextCustom.cpp (working copy)
@@ -64,6 +64,7 @@
#include "V8WebGLUniformLocation.h"
#include "V8WebGLVertexArrayObjectOES.h"
#include "WebGLRenderingContext.h"
+#include <limits>
#include <wtf/FastMalloc.h>
namespace WebCore {
@@ -74,7 +75,8 @@
{
// Convert the data element-by-element.
float* data;
- if (!tryFastMalloc(len * sizeof(float)).getValue(data))
+ if (len > std::numeric_limits<uint32_t>::max() / sizeof(float)
+ || !tryFastMalloc(len * sizeof(float)).getValue(data))
return 0;
for (uint32_t i = 0; i < len; i++) {
v8::Local<v8::Value> val = array->Get(v8::Integer::New(i));
@@ -93,7 +95,8 @@
{
// Convert the data element-by-element.
int* data;
- if (!tryFastMalloc(len * sizeof(int)).getValue(data))
+ if (len > std::numeric_limits<uint32_t>::max() / sizeof(int)
+ || !tryFastMalloc(len * sizeof(int)).getValue(data))
return 0;
for (uint32_t i = 0; i < len; i++) {
v8::Local<v8::Value> val = array->Get(v8::Integer::New(i));
« no previous file with comments | « Source/WebCore/bindings/js/JSWebGLRenderingContextCustom.cpp ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698