Last Comment Bug 623791 - (CVE-2011-1302) [ANGLE] WebGLES shader assertion failed: (oldhashloc >= 0), function IncreaseHashTableSize
: [ANGLE] WebGLES shader assertion failed: (oldhashloc >= 0), function Increase...
: crash, testcase
Product: Core
Classification: Components
Component: Canvas: WebGL (show other bugs)
: Trunk
: x86_64 Mac OS X
-- critical (vote)
: ---
Assigned To: Benoit Jacob [:bjacob] (mostly away)
: Milan Sreckovic [:milan]
Depends on: 646229 649233
Blocks: 658170
  Show dependency treegraph
Reported: 2011-01-06 17:44 PST by Christoph Diehl [:posidron]
Modified: 2011-05-18 22:01 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

callstack (8.17 KB, text/plain)
2011-01-06 17:45 PST, Christoph Diehl [:posidron]
no flags Details
testcase (110.78 KB, application/zip)
2011-01-06 17:46 PST, Christoph Diehl [:posidron]
no flags Details

Description User image Christoph Diehl [:posidron] 2011-01-06 17:44:58 PST

Comment 1 User image Christoph Diehl [:posidron] 2011-01-06 17:45:32 PST
Created attachment 501885 [details]
Comment 2 User image Christoph Diehl [:posidron] 2011-01-06 17:46:04 PST
Created attachment 501886 [details]
Comment 3 User image daniel-bzmz 2011-02-09 06:29:28 PST
Can you please file this in the ANGLE issue tracker as well?  Thanks
Comment 4 User image daniel-bzmz 2011-04-04 10:27:38 PDT
We have fixed this issue in ANGLE revision 605.  Mozilla still crashes (under windows), but no longer in ANGLE code, so we expect that the validator must be statically compiled in and needs to be updated to verify this.
Comment 5 User image Daniel Veditz [:dveditz] 2011-04-05 18:20:32 PDT
The upstream bug says

  A critical parser bug was fixed in r605. When loading the shader from a
  file, Chrome previously crashed but now properly reports the shader
  compilation failures.

The patch fixes a buffer overflow

This was also fixed in Chrome so we need to get it into Macaw asap
Comment 6 User image Daniel Veditz [:dveditz] 2011-04-11 17:36:05 PDT
Chrome fixed an additional "off by three" overwrite in libGLESv2
Comment 7 User image Joe Drew (not getting mail) 2011-04-12 00:45:27 PDT
This will be fixed with the patches in bug 649233.
Comment 8 User image Joe Drew (not getting mail) 2011-04-12 01:41:54 PDT
This landed on mozilla-central. Going to land these patches on mozilla-2.0 once they are approved in bug 649233.
Comment 9 User image Daniel Veditz [:dveditz] 2011-04-25 13:36:54 PDT
Credit for the additional security fix the Chrome team reported to us (comment 6) should go to "yuri.ko616". It wasn't actually reported as a security issue, just a crash.
Comment 10 User image Daniel Veditz [:dveditz] 2011-04-25 13:45:45 PDT
The additional fix for yuri.ko616's bug is tracked by Google at (hidden security bug)

Christophe's original bug is tracked by them at

Announced (without detail) on 4/14 at
Comment 11 User image Chris Evans 2011-04-25 14:11:41 PDT
Actually, the guy wanted to be credited as "Yuri Ko"
I messed up in the Chrome release notes.
Comment 12 User image Joe Drew (not getting mail) 2011-04-25 19:23:14 PDT
I was pinged for some additional information on why we landed the ANGLE updated the way we did.

The Chrome maintainers created a chrome_m10 branch in upstream ANGLE, and cherrypicked the changes they wanted. They branched off ANGLE r551, but the last time we updated was ANGLE r550. So, in order to stay 100% current with the chrome_m10 branch, we applied both r551 and r611, the two changesets that branch had that mozilla-central didn't have.
Comment 13 User image Daniel Veditz [:dveditz] 2011-05-07 14:21:25 PDT
Updating the CVE number: the Chrome security team already assigned CVE-2011-1302 to Christophe's bug and MITRE has duped -0068 to that one.

Yuri's bug was CVE-2011-1300
Comment 14 User image Daniel Veditz [:dveditz] 2011-05-07 14:34:56 PDT
I apologize for repeatedly misspelling Christoph's name.
Comment 15 User image Christoph Diehl [:posidron] 2011-05-07 14:41:19 PDT
No problem. :)

Note You need to log in before you can comment on or make changes to this bug.