Closed
Bug 958723
Opened 11 years ago
Closed 11 years ago
Crash in WebGLContext::GetFramebufferAttachmentParameter when WEBGL_draw_buffers is enabled
Categories
(Core :: Graphics: CanvasWebGL, defect)
Core
Graphics: CanvasWebGL
Tracking
()
VERIFIED
FIXED
mozilla30
| Tracking | Status | |
|---|---|---|
| firefox27 | --- | unaffected |
| firefox28 | --- | affected |
| firefox29 | --- | affected |
| firefox30 | --- | verified |
| firefox-esr24 | --- | unaffected |
People
(Reporter: guillaume.abadie, Assigned: jgilbert)
References
()
Details
(Keywords: csectype-nullptr, sec-other, Whiteboard: [adv-main30-])
Attachments
(3 files, 6 obsolete files)
|
9.28 KB,
text/html
|
Details | |
|
1.85 KB,
patch
|
guillaume.abadie
:
review+
|
Details | Diff | Splinter Review |
|
2.45 KB,
patch
|
u480271
:
review+
|
Details | Diff | Splinter Review |
I predict crash right here if we have not bind any frame buffer before, because we are checking for if (!mBoundFramebuffer) after. :S
http://dxr.mozilla.org/mozilla-central/source/content/canvas/src/WebGLContextGL.cpp#1399
Here is a test case that would raise the crash:
gl = create a WebGL 1 context
gl.getExtension("WEBGL_draw_buffers");
gl.getFramebufferAttachmentParameter(gl.FRAMEBUFFER, gl.COLOR_ATTACHEMENT0, 0x8210);
|
Assignee | |
Comment 1•11 years ago
|
||
Confirmed on nightly29.
|
|
Assignee | |
Updated•11 years ago
|
status-firefox29:
--- → affected
|
Reporter | |
Comment 2•11 years ago
|
||
Patch in coming! =)
|
|
Reporter | |
Comment 3•11 years ago
|
||
Attachment #8358637 -
Flags: review?(jgilbert)
|
|
Assignee | |
Updated•11 years ago
|
status-firefox27:
--- → unaffected
status-firefox28:
--- → affected
|
|
Assignee | |
Comment 4•11 years ago
|
||
Fixed testcase.
Attachment #8358635 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 5•11 years ago
|
||
I think this is a cleaner way to do this.
Attachment #8358653 -
Flags: review?(guillaume.abadie)
|
|
Assignee | |
Comment 6•11 years ago
|
||
This should just be sec-dos, or whatever the modern equivalent is, but might be higher. Null pointer deref.
|
|
Reporter | |
Comment 7•11 years ago
|
||
Comment on attachment 8358653 [details] [diff] [review]
fb-query-crash
Review of attachment 8358653 [details] [diff] [review]:
-----------------------------------------------------------------
I don't think so
::: content/canvas/src/WebGLContextGL.cpp
@@ +1408,5 @@
> return JS::NullValue();
> }
> +
> + // Particularly important for WEBGL_draw_buffers, but we might as well do it unconditionally.
> + mBoundFramebuffer->EnsureColorAttachments(attachment - LOCAL_GL_COLOR_ATTACHMENT0);
No it isn't because if attachment == DEPTH_STENCIL_ATTACHMENT then your are having a negative number given to EnsureColorAttachments()
Attachment #8358653 -
Flags: review?(guillaume.abadie) → review-
|
|
Reporter | |
Comment 8•11 years ago
|
||
What about this? Knowing that mGLMaxColorAttachments is set to 1 by default, and then changed when enabling the WEBGL_draw_buffers extension.
Attachment #8358637 -
Attachment is obsolete: true
Attachment #8358637 -
Flags: review?(jgilbert)
Attachment #8358662 -
Flags: review?(jgilbert)
|
|
Assignee | |
Comment 9•11 years ago
|
||
Comment on attachment 8358662 [details] [diff] [review]
patch revision 2
Review of attachment 8358662 [details] [diff] [review]:
-----------------------------------------------------------------
::: content/canvas/src/WebGLContextGL.cpp
@@ +1403,2 @@
> }
> + else if (!mBoundFramebuffer) {
I don't like that this mixes trains of logic. Let's just check for a valid FB first.
Attachment #8358662 -
Flags: review?(jgilbert) → review-
|
|
Assignee | |
Comment 10•11 years ago
|
||
Attachment #8358653 -
Attachment is obsolete: true
Attachment #8358667 -
Flags: review?(guillaume.abadie)
|
|
Reporter | |
Comment 11•11 years ago
|
||
Comment on attachment 8358667 [details] [diff] [review]
fb-query-crash2
Review of attachment 8358667 [details] [diff] [review]:
-----------------------------------------------------------------
I have to say that I have thought about this idea too. But I also think that changing orders between the INVALID_OPERATION and the INVALID_ENUM could generates regression on the WebGL conformance test. Also generating an INVALID_OPERATION when the operation might even not be VALID regarding enumerations doesn't make any senses. That is why I believe the order between the INVALID_OPERATION and the INVALID_ENUM must not be changed.
Attachment #8358667 -
Flags: review?(guillaume.abadie) → review-
|
|
Reporter | |
Comment 12•11 years ago
|
||
What about that? =)
Attachment #8358662 -
Attachment is obsolete: true
Attachment #8358675 -
Flags: review?(jgilbert)
|
|
Assignee | |
Comment 13•11 years ago
|
||
Comment on attachment 8358667 [details] [diff] [review]
fb-query-crash2
Review of attachment 8358667 [details] [diff] [review]:
-----------------------------------------------------------------
We already have some INVALID_ENUM tests after the INVALID_OPERATION. I'm pretty sure we're allowed to return these in any order, so if the tests have problems with this, we should fix the tests.
That said, I ran the tests, and they all pass on both.
Attachment #8358667 -
Flags: review- → review?(guillaume.abadie)
|
|
Reporter | |
Comment 14•11 years ago
|
||
Comment on attachment 8358667 [details] [diff] [review]
fb-query-crash2
Review of attachment 8358667 [details] [diff] [review]:
-----------------------------------------------------------------
All right.
Attachment #8358667 -
Flags: review?(guillaume.abadie) → review+
|
|
Assignee | |
Updated•11 years ago
|
Attachment #8358675 -
Attachment is obsolete: true
Attachment #8358675 -
Flags: review?(jgilbert)
|
|
Assignee | |
Comment 16•11 years ago
|
||
This is just a null-deref. It shouldn't even qualify as sec-moderate.
|
|
Assignee | |
Updated•11 years ago
|
|
|
Assignee | |
Comment 17•11 years ago
|
||
Attachment #8385048 -
Flags: review?(dglastonbury)
|
||
Comment 18•11 years ago
|
||
Comment on attachment 8385048 [details] [diff] [review]
patch 2: test
Review of attachment 8385048 [details] [diff] [review]:
-----------------------------------------------------------------
Nits
::: content/canvas/test/webgl/non-conf-tests/test_fb_param_crash.html
@@ +29,5 @@
> + var text = 'gl.getError should be 0x' + reference.toString(16) +
> + ', was 0x' + error.toString(16) + '.';
> + func(error == reference, prefix + text);
> + }
> +
To the god of whitespace, we say "not today!"
@@ +40,5 @@
> +
> + var result = gl.getFramebufferAttachmentParameter(gl.FRAMEBUFFER,
> + gl.COLOR_ATTACHMENT0,
> + gl.FRAMEBUFFER_ATTACHMENT_OBJECT_NAME);
> +
To the god of whitespace, we say "not today!"
Attachment #8385048 -
Flags: review?(dglastonbury) → review-
|
|
Assignee | |
Comment 19•11 years ago
|
||
Haha, alright.
|
|
Assignee | |
Comment 20•11 years ago
|
||
Attachment #8385048 -
Attachment is obsolete: true
Attachment #8385702 -
Flags: review?(dglastonbury)
|
|
||
Comment 21•11 years ago
|
||
Comment on attachment 8385702 [details] [diff] [review]
patch 2: test
Review of attachment 8385702 [details] [diff] [review]:
-----------------------------------------------------------------
gtg
Attachment #8385702 -
Flags: review?(dglastonbury) → review+
|
|
Assignee | |
Comment 22•11 years ago
|
||
|
|
Assignee | |
Comment 23•11 years ago
|
||
I'll just take responsibility for this.
Assignee: guillaume.abadie → jgilbert
|
||
Comment 24•11 years ago
|
||
landed on mozilla-central https://hg.mozilla.org/mozilla-central/rev/e43df9cf4e7d and https://hg.mozilla.org/mozilla-central/rev/c97ab81ac53f
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox30:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
|
||
Updated•11 years ago
|
status-firefox-esr24:
--- → unaffected
|
||
Updated•10 years ago
|
Group: core-security
|
||
Updated•10 years ago
|
Whiteboard: [adv-main30-]
|
||
Comment 25•10 years ago
|
||
Confirmed crash, 2014-02-11, Fx30.
Verified fixed, 2014-05-07, Fx30.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•