Closed
Bug 860847
Opened 12 years ago
Closed 11 years ago
for loops in shaders can access negative indices of uniform arrays
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 837213
People
(Reporter: miaubiz, Unassigned)
References
Details
(Keywords: csectype-disclosure, sec-moderate)
Attachments
(1 file)
|
4.43 KB,
text/html
|
Details |
on osx, a shader such as:
uniform vec4 x[1];
for (int ii = -1000; ii < -999; ++ii) {
c += x[ii];
}
gl_FragColor = vec4(c.r, c.g, c.b, c.a);
will display random colors.
attached is a file that will on my MacBookPro 8.2 with ATI Radeon HD 6770M OpenGL Engine (2.1 ATI-1.6.37) display random colors, and then read out the values of those colors and print them to console.log
|
||
Comment 1•12 years ago
|
||
Should ANGLE be filtering out code with negative array indices?
If you can read x[-999] can you also read x[999] from a 1-byte array?
Why go through the loop only once? Can you read arbitrary bytes this way?
Flags: needinfo?(bjacob)
Keywords: csec-disclosure,
sec-moderate
|
|
||
Updated•12 years ago
|
Attachment #736405 -
Attachment mime type: text/plain → text/html
|
|
||
Comment 2•12 years ago
|
||
I don't actually see the bug, I get what look like expected errors:
[10:35:45.545] Error: WebGL: linkProgram failed, with this log:
(22,13): error X3504: literal loop terminated early due to out of bounds array access
(19,6): warning X3557: loop only executes for 0 iteration(s), forcing loop to unroll
Warning: D3D shader compilation failed with default flags. Retrying with avoid flow control.
(22,13): error X3504: literal loop terminated early due to out of bounds array access
(19,6): warning X3557: loop only executes for 0 iteration(s), forcing loop to unroll
Warning: D3D shader compilation failed with avoid flow control flags. Retrying with prefer flow control.
(22,13): error X3504: literal loop terminated early due to out of bounds array access
(19,6): warning X3557: loop only executes for 0 iteration(s), forcing loop to unroll
Warning: D3D shader compilation failed with prefer flow control flags.
@ https://bug860847.bugzilla.mozilla.org/attachment.cgi?id=736405&t=lrxSkcA8uq:139
Keywords: csec-disclosure,
sec-moderate
|
||
Comment 3•12 years ago
|
||
Daniel: I suspect that the errors you're getting come from Windows' D3DCompiler.dll while the bug reported here is on Mac.
Once bug 837213 lands, we will be checking for this kind of issues in the ANGLE shader compiler which we use everywhere to validate shaders before we pass them on to the system's shader compiler.
Let's just fix 837213, which Jeff Gilbert is already working on.
Please CC Jeff, not me, for WebGL security bugs from now on.
Depends on: 837213
Flags: needinfo?(bjacob)
|
||
Comment 4•12 years ago
|
||
Jeff should we close this as a dupe of bug 837213?
Group: gfx-core-security
Flags: needinfo?(jgilbert)
|
||
Updated•12 years ago
|
Group: gfx-core-security
|
||
Comment 5•12 years ago
|
||
(In reply to David Bolter [:davidb] from comment #4)
> Jeff should we close this as a dupe of bug 837213?
Not until we can be sure it's fixed with the update. Let's leave this as blocked by the ANGLE update.
Flags: needinfo?(jgilbert)
|
|
||
Updated•12 years ago
|
Keywords: csec-disclosure,
sec-moderate
|
||
Comment 6•11 years ago
|
||
This works for me on the trunk, with the latest angle and the array bounds clamped - can somebody verify?
Flags: needinfo?(miaubiz)
|
|
||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•