[Webkit-unassigned] [Bug 218601] [RELEASE ASSERT][WK2][WebGL2] WebCore::WebGLTransformFeedback::getBoundIndexedTransformFeedbackBuffer triggers std::vector CrashOnOverflow
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Nov 21 18:14:13 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=218601
--- Comment #6 from Ryosuke Niwa <rniwa at webkit.org> ---
(In reply to Rob Buis from comment #5)
> (In reply to Ryosuke Niwa from comment #3)
> > Comment on attachment 414450 [details]
> > Patch
> >
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=414450&action=review
> >
> > > Source/WebCore/html/canvas/WebGLTransformFeedback.cpp:81
> > > *outBuffer = m_boundIndexedTransformFeedbackBuffers[index].get();
> >
> > Is this a release assert crash because of the bounds check?
> > If so, we can add the test?
>
> Yes, it is a release assert crash, I now added the test.
Great. Thanks for verifying!
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201122/0b84f963/attachment.htm>
More information about the webkit-unassigned
mailing list