Merge WebKit at Chromium 9.0.597.106: Initial merge by Git

Note that we are tracking the Chromium 9.0.597 release branch,
which is WebKit r72805 + stability cherry picks.

This corresponds to r78455 on the 597 release branch.

Change-Id: I72375d9b61a767449086f0c9dc4105b2a6b62ddc

2 files changed, 6 insertions, 1 deletions

diff --git a/WebCore/html/canvas/DataView.h b/WebCore/html/canvas/DataView.h
index 0681341..1c76c28 100755
--- a/WebCore/html/canvas/DataView.h
+++ b/WebCore/html/canvas/DataView.h
@@ -75,7 +75,7 @@ private:
     DataView(PassRefPtr<ArrayBuffer>, unsigned byteOffset, unsigned byteLength);
 
     template<typename T>
-    inline bool beyondRange(unsigned byteOffset) const { return byteOffset + sizeof(T) > m_byteLength; }
+    inline bool beyondRange(unsigned byteOffset) const { return byteOffset >= m_byteLength || byteOffset + sizeof(T) > m_byteLength; }
 
     template<typename T>
     T getData(unsigned byteOffset, bool littleEndian, ExceptionCode&) const;
diff --git a/WebCore/html/canvas/WebGLRenderingContext.cpp b/WebCore/html/canvas/WebGLRenderingContext.cpp
index 3dd1453..237d80c 100644
--- a/WebCore/html/canvas/WebGLRenderingContext.cpp
+++ b/WebCore/html/canvas/WebGLRenderingContext.cpp
@@ -1146,6 +1146,11 @@ void WebGLRenderingContext::drawElements(unsigned long mode, long count, unsigne
     if (!count)
         return;
 
+    if (!m_boundElementArrayBuffer) {
+        m_context->synthesizeGLError(GraphicsContext3D::INVALID_OPERATION);
+        return;
+    }
+
     long numElements = 0;
     if (!isErrorGeneratedOnOutOfBoundsAccesses()) {
         // Ensure we have a valid rendering state