Integer overflows/underflows in all Gamepad controller api calls.

https://bugs.webkit.org/show_bug.cgi?id=97262

Patch by Scott Graham <scottmg@chromium.org> on 2012-10-17
Reviewed by Abhishek Arya.

Tools:

Range check controller inputs. This code is not exposed to the web,
but makes fuzzers try less hard to break uninteresting code.

* DumpRenderTree/chromium/TestRunner/GamepadController.cpp:
(GamepadController::setButtonCount):
(GamepadController::setButtonData):
(GamepadController::setAxisCount):
(GamepadController::setAxisData):

LayoutTests:

* gamepad/gamepad-out-of-range-crasher.html: Added.
* gamepad/gamepad-out-of-range-crasher-expected.txt: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131640 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 7699b3fe
2012-10-17 Scott Graham <scottmg@chromium.org>
Integer overflows/underflows in all Gamepad controller api calls.
https://bugs.webkit.org/show_bug.cgi?id=97262
Reviewed by Abhishek Arya.
* gamepad/gamepad-out-of-range-crasher.html: Added.
* gamepad/gamepad-out-of-range-crasher-expected.txt: Added.
2012-10-17 Tony Chang <tony@chromium.org>
Unreviewed, Chromium baselines for shadow DOM changes to RenderSlider.
......
PASS successfullyParsed is true
TEST COMPLETE
Range checks; just shouldn't crash.
<!DOCTYPE html>
<body>
<script src="../fast/js/resources/js-test-pre.js"></script>
<script>
if (window.gamepadController)
{
// check some out of range values.
for (var i = -100; i < 100; ++i)
{
gamepadController.connect(i);
gamepadController.setId(i, "name");
for (var j = -100; i < 100; ++i)
{
gamepadController.setButtonCount(i, j);
gamepadController.setAxisCount(i, j);
gamepadController.setButtonData(i, j, 0.0);
gamepadController.setAxisData(i, j, 0.0);
}
gamepadController.disconnect(i);
}
}
else
{
console.log("FAIL: no gamepadController available.")
}
</script>
<script src="../fast/js/resources/js-test-post.js"></script>
<p>Range checks; just shouldn't crash.</p>
</body>
2012-10-17 Scott Graham <scottmg@chromium.org>
Integer overflows/underflows in all Gamepad controller api calls.
https://bugs.webkit.org/show_bug.cgi?id=97262
Reviewed by Abhishek Arya.
Range check controller inputs. This code is not exposed to the web,
but makes fuzzers try less hard to break uninteresting code.
* DumpRenderTree/chromium/TestRunner/GamepadController.cpp:
(GamepadController::setButtonCount):
(GamepadController::setButtonData):
(GamepadController::setAxisCount):
(GamepadController::setAxisData):
2012-10-17 Joseph Pecoraro <pecoraro@apple.com>
Unreviewed watchlist email change.
......
......@@ -128,6 +128,8 @@ void GamepadController::setButtonCount(const CppArgumentList& args, CppVariant*
if (index < 0 || index >= static_cast<int>(WebKit::WebGamepads::itemsLengthCap))
return;
int buttons = args[1].toInt32();
if (buttons < 0 || buttons >= static_cast<int>(WebKit::WebGamepad::buttonsLengthCap))
return;
m_gamepads.items[index].buttonsLength = buttons;
m_delegate->setGamepadData(m_gamepads);
result->setNull();
......@@ -143,6 +145,8 @@ void GamepadController::setButtonData(const CppArgumentList& args, CppVariant* r
if (index < 0 || index >= static_cast<int>(WebKit::WebGamepads::itemsLengthCap))
return;
int button = args[1].toInt32();
if (button < 0 || button >= static_cast<int>(WebKit::WebGamepad::buttonsLengthCap))
return;
double data = args[2].toDouble();
m_gamepads.items[index].buttons[button] = data;
m_delegate->setGamepadData(m_gamepads);
......@@ -159,6 +163,8 @@ void GamepadController::setAxisCount(const CppArgumentList& args, CppVariant* re
if (index < 0 || index >= static_cast<int>(WebKit::WebGamepads::itemsLengthCap))
return;
int axes = args[1].toInt32();
if (axes < 0 || axes >= static_cast<int>(WebKit::WebGamepad::axesLengthCap))
return;
m_gamepads.items[index].axesLength = axes;
m_delegate->setGamepadData(m_gamepads);
result->setNull();
......@@ -174,6 +180,8 @@ void GamepadController::setAxisData(const CppArgumentList& args, CppVariant* res
if (index < 0 || index >= static_cast<int>(WebKit::WebGamepads::itemsLengthCap))
return;
int axis = args[1].toInt32();
if (axis < 0 || axis >= static_cast<int>(WebKit::WebGamepad::axesLengthCap))
return;
double data = args[2].toDouble();
m_gamepads.items[index].axes[axis] = data;
m_delegate->setGamepadData(m_gamepads);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment