LibWeb: Ensure WebGL buffers don't mix between index and other data

The spec mandates that a buffer during its lifetime can only get bound to either an index buffer or any other type.
Author: https://github.com/cqundefine Commit: 7d6212ae71 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/6744 Reviewed-by: https://github.com/gmta ✅ Reviewed-by: https://github.com/konradekk
2025-12-07 21:59:54 +00:00 · 2025-11-06 22:39:51 +01:00 · 2025-11-06 22:39:51 +01:00 · 7d6212ae71 · 2025-11-27 18:21:19 +00:00
commit 7d6212ae71
parent 85478c9215
4 changed files with 38 additions and 0 deletions
--- a/Libraries/LibWeb/WebGL/WebGL2RenderingContextImpl.cpp
+++ b/Libraries/LibWeb/WebGL/WebGL2RenderingContextImpl.cpp
@ -2,6 +2,7 @@
 * Copyright (c) 2024-2025, Aliaksandr Kalenik <kalenik.aliaksandr@gmail.com>
 * Copyright (c) 2024-2025, Luke Wilde <luke@ladybird.org>
 * Copyright (c) 2025, Jelle Raaijmakers <jelle@ladybird.org>
+ * Copyright (c) 2025, Undefine <undefine@undefine.pl>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */
@ -964,6 +965,11 @@ void WebGL2RenderingContextImpl::bind_buffer_base(WebIDL::UnsignedLong target, W
            return;
        }
        buffer_handle = handle_or_error.release_value();
+
+        if (!buffer->is_compatible_with(target)) {
+            set_error(GL_INVALID_OPERATION);
+            return;
+        }
    }
    glBindBufferBase(target, index, buffer_handle);
 }
@ -980,6 +986,11 @@ void WebGL2RenderingContextImpl::bind_buffer_range(WebIDL::UnsignedLong target,
            return;
        }
        buffer_handle = handle_or_error.release_value();
+
+        if (!buffer->is_compatible_with(target)) {
+            set_error(GL_INVALID_OPERATION);
+            return;
+        }
    }
    glBindBufferRange(target, index, buffer_handle, offset, size);
 }
--- a/Libraries/LibWeb/WebGL/WebGLBuffer.cpp
+++ b/Libraries/LibWeb/WebGL/WebGLBuffer.cpp
@ -2,10 +2,12 @@
 * Copyright (c) 2024, Jelle Raaijmakers <jelle@ladybird.org>
 * Copyright (c) 2024, Aliaksandr Kalenik <kalenik.aliaksandr@gmail.com>
 * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ * Copyright (c) 2025, Undefine <undefine@undefine.pl>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

+#include <GLES2/gl2.h>
 #include <LibJS/Runtime/Realm.h>
 #include <LibWeb/Bindings/Intrinsics.h>
 #include <LibWeb/Bindings/WebGLBufferPrototype.h>
@ -33,4 +35,18 @@ void WebGLBuffer::initialize(JS::Realm& realm)
    Base::initialize(realm);
 }

+bool WebGLBuffer::is_compatible_with(GLenum target)
+{
+    // https://registry.khronos.org/webgl/specs/latest/2.0/#5.1
+    if (!m_target.has_value()) {
+        m_target = target;
+        return true;
+    }
+
+    if (target == GL_ELEMENT_ARRAY_BUFFER)
+        return m_target.value() == GL_ELEMENT_ARRAY_BUFFER;
+
+    return m_target.value() != GL_ELEMENT_ARRAY_BUFFER;
+}
+
 }
--- a/Libraries/LibWeb/WebGL/WebGLBuffer.h
+++ b/Libraries/LibWeb/WebGL/WebGLBuffer.h
@ -2,6 +2,7 @@
 * Copyright (c) 2024, Jelle Raaijmakers <jelle@ladybird.org>
 * Copyright (c) 2024, Aliaksandr Kalenik <kalenik.aliaksandr@gmail.com>
 * Copyright (c) 2024, Luke Wilde <luke@ladybird.org>
+ * Copyright (c) 2025, Undefine <undefine@undefine.pl>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */
@ -22,10 +23,15 @@ public:

    virtual ~WebGLBuffer();

+    bool is_compatible_with(GLenum target);
+
 protected:
    explicit WebGLBuffer(JS::Realm&, WebGLRenderingContextBase&, GLuint handle);

    virtual void initialize(JS::Realm&) override;
+
+private:
+    Optional<GLenum> m_target;
 };

 }
--- a/Libraries/LibWeb/WebGL/WebGLRenderingContextImpl.cpp
+++ b/Libraries/LibWeb/WebGL/WebGLRenderingContextImpl.cpp
@ -134,6 +134,11 @@ void WebGLRenderingContextImpl::bind_buffer(WebIDL::UnsignedLong target, GC::Roo
            return;
        }
        buffer_handle = handle_or_error.release_value();
+
+        if (!buffer->is_compatible_with(target)) {
+            set_error(GL_INVALID_OPERATION);
+            return;
+        }
    }

    if (m_context->webgl_version() == OpenGLContext::WebGLVersion::WebGL2) {