2011-04-14 Zhenyao Mo <zmo@google.com>

Zhenyao Mo · Zhenyao Mo · commit bac333e7ff63 · 2011-04-15T18:01:53.000Z
Reviewed by Kenneth Russell. Use HTMLImageElement in Canvas 2D / WebGL before response is ready causes crash https://bugs.webkit.org/show_bug.cgi?id=58501 * html/canvas/WebGLRenderingContext.cpp: (WebCore::WebGLRenderingContext::texImage2D): Call validateHTMLImageElement(). (WebCore::WebGLRenderingContext::texSubImage2D): Ditto. (WebCore::WebGLRenderingContext::validateHTMLImageElement): Make sure image is ready. * html/canvas/WebGLRenderingContext.h: Canonical link: https://commits.webkit.org/73746@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@83992 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2011-04-14  Zhenyao Mo  <zmo@google.com>
+
+        Reviewed by Kenneth Russell.
+
+        Use HTMLImageElement in Canvas 2D / WebGL before response is ready causes crash
+        https://bugs.webkit.org/show_bug.cgi?id=58501
+
+        * html/canvas/WebGLRenderingContext.cpp:
+        (WebCore::WebGLRenderingContext::texImage2D): Call validateHTMLImageElement().
+        (WebCore::WebGLRenderingContext::texSubImage2D): Ditto.
+        (WebCore::WebGLRenderingContext::validateHTMLImageElement): Make sure image is ready.
+        * html/canvas/WebGLRenderingContext.h:
+
 2011-04-07  MORITA Hajime  <morrita@google.com>
 
         Reviewed by Ryosuke Niwa.
diff --git a/Source/WebCore/html/canvas/WebGLRenderingContext.cpp b/Source/WebCore/html/canvas/WebGLRenderingContext.cpp
@@ -3140,10 +3140,8 @@ void WebGLRenderingContext::texImage2D(GC3Denum target, GC3Dint level, GC3Denum
     ec = 0;
     if (isContextLost())
         return;
-    if (!image || !image->cachedImage()) {
-        m_context->synthesizeGLError(GraphicsContext3D::INVALID_VALUE);
+    if (!validateHTMLImageElement(image))
         return;
-    }
     checkOrigin(image);
     texImage2DImpl(target, level, internalformat, format, type, image->cachedImage()->image(),
                    m_unpackFlipY, m_unpackPremultiplyAlpha, ec);
@@ -3334,10 +3332,8 @@ void WebGLRenderingContext::texSubImage2D(GC3Denum target, GC3Dint level, GC3Din
     ec = 0;
     if (isContextLost())
         return;
-    if (!image || !image->cachedImage()) {
-        m_context->synthesizeGLError(GraphicsContext3D::INVALID_VALUE);
+    if (!validateHTMLImageElement(image))
         return;
-    }
     checkOrigin(image);
     texSubImage2DImpl(target, level, xoffset, yoffset, format, type, image->cachedImage()->image(),
                       m_unpackFlipY, m_unpackPremultiplyAlpha, ec);
@@ -4613,6 +4609,20 @@ WebGLBuffer* WebGLRenderingContext::validateBufferDataParameters(GC3Denum target
     return 0;
 }
 
+bool WebGLRenderingContext::validateHTMLImageElement(HTMLImageElement* image)
+{
+    if (!image || !image->cachedImage()) {
+        m_context->synthesizeGLError(GraphicsContext3D::INVALID_VALUE);
+        return false;
+    }
+    const KURL& url = image->cachedImage()->response().url();
+    if (url.isNull() || url.isEmpty() || !url.isValid()) {
+        m_context->synthesizeGLError(GraphicsContext3D::INVALID_VALUE);
+        return false;
+    }
+    return true;
+}
+
 void WebGLRenderingContext::vertexAttribfImpl(GC3Duint index, GC3Dsizei expectedSize, GC3Dfloat v0, GC3Dfloat v1, GC3Dfloat v2, GC3Dfloat v3)
 {
     if (isContextLost())
diff --git a/Source/WebCore/html/canvas/WebGLRenderingContext.h b/Source/WebCore/html/canvas/WebGLRenderingContext.h
@@ -590,6 +590,9 @@ class WebGLRenderingContext : public CanvasRenderingContext {
     // Return the current bound buffer to target, or 0 if parameters are invalid.
     WebGLBuffer* validateBufferDataParameters(GC3Denum target, GC3Denum usage);
 
+    // Helper function for tex{Sub}Image2D to make sure image is ready.
+    bool validateHTMLImageElement(HTMLImageElement*);
+
     // Helper functions for vertexAttribNf{v}.
     void vertexAttribfImpl(GC3Duint index, GC3Dsizei expectedSize, GC3Dfloat, GC3Dfloat, GC3Dfloat, GC3Dfloat);
     void vertexAttribfvImpl(GC3Duint index, Float32Array*, GC3Dsizei expectedSize);
