Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4369d90c86f60f1ff9bf122219b9a691e6afa25b
https://github.com/WebKit/WebKit/commit/4369d90c86f60f1ff9bf122219b9a691e6afa25b
Author: Roberto Rodriguez <[email protected]>
Date: 2026-03-11 (Wed, 11 Mar 2026)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/ProgramExecutableMtl.h
M
Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/ProgramExecutableMtl.mm
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/VertexArrayMtl.mm
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_buffer_pool.h
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_buffer_pool.mm
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_command_buffer.h
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_command_buffer.mm
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_render_utils.mm
M Source/ThirdParty/ANGLE/src/tests/BUILD.gn
M Source/ThirdParty/ANGLE/src/tests/angle_white_box_tests.gni
A Source/ThirdParty/ANGLE/src/tests/gl_tests/BufferPoolTestMetal.mm
Log Message:
-----------
Fix integer truncation in mtl_buffer_pool
https://bugs.webkit.org/show_bug.cgi?id=304318
rdar://166535879
Reviewed by Kimmo Kinnunen.
Fix Metal backend integer overflow vulnerabilities in BufferPool
BufferPool uses uint32_t for offset tracking, causing silent truncation beyond
4GB.
Change mNextAllocationOffset and mLastFlushOffset to size_t and remove
truncating casts.
Add ANGLE white box test to test BufferPool class.
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_buffer_pool.h:
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_buffer_pool.mm:
(rx::mtl::BufferPool::allocate):
(rx::mtl::BufferPool::updateAlignment):
Originally-landed-as: 301765.427@safari-7623-branch (0d65ad29c897).
rdar://170272088
Canonical link: https://commits.webkit.org/309041@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
