Closed Bug 765161 Opened 12 years ago Closed 12 years ago

WebGL crash when empty string is passed to getUniformLocation, getAttribLocation or bindAttribLocation [@mozilla::WebGLProgram::MapIdentifier] (dupe)

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 765179

People

(Reporter: posidron, Unassigned)

Details

(Keywords: crash, sec-other, testcase, Whiteboard: [asan] [sg:dupe 765179])

Attachments

(3 files)

testcase
1.74 KB, text/html
Details
callstack
6.65 KB, text/plain
Details
check for empty variable names
905 bytes, patch
Details | Diff | Splinter Review
Attached file testcase 
Have only marked this as a sec bug because asan said heap overflow. 

The second parameter for getUniformLocation() is causing a crash which is an empty string.

getUniformLocation(pg, '');
Attached file callstack 

    
    

    
  


  
This should fix it, although i am running in Valgrind at the moment to confirm.

Doing it in ValidateGLSLVariableName() allows to fix this bug also in other functions all at once.

        Attachment #633541 -
        Flags: review?

        Attachment #633541 -
        Flags: review? → review?(jgilbert)
Summary: WebGL crash with getUniformLocation string [@mozilla::WebGLProgram::MapIdentifier] → WebGL crash when empty string is passed to getUniformLocation, getAttribLocation or bindAttribLocation string [@mozilla::WebGLProgram::MapIdentifier]
Summary: WebGL crash when empty string is passed to getUniformLocation, getAttribLocation or bindAttribLocation string [@mozilla::WebGLProgram::MapIdentifier] → WebGL crash when empty string is passed to getUniformLocation, getAttribLocation or bindAttribLocation [@mozilla::WebGLProgram::MapIdentifier]

    
    

    
  
No valgrind errors with this patch.

    
    

    
  
Comment on attachment 633541 [details] [diff] [review]
check for empty variable names

We ended up doing the reviews on the other bug, sorry.

        Attachment #633541 -
        Flags: review?(jgilbert)
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Whiteboard: [asan] → [asan] [sg:dupe 765179]
Summary: WebGL crash when empty string is passed to getUniformLocation, getAttribLocation or bindAttribLocation [@mozilla::WebGLProgram::MapIdentifier] → WebGL crash when empty string is passed to getUniformLocation, getAttribLocation or bindAttribLocation [@mozilla::WebGLProgram::MapIdentifier] (dupe)

    
    

    
  
Original bug is open now, so we can open this too.
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: