From 1e06e1a5ae15d0a3a4ef23e2e86fa7b5d00662ff Mon Sep 17 00:00:00 2001
From: Benoit Jacob <bjacob@mozilla.com>
Date: Tue, 22 Jul 2014 08:53:24 -0400
Subject: [PATCH] Bug 1041785 - fix a null deref crash in WebGL draw-call
 validation - r=kamidphish

---
 content/canvas/src/WebGLContext.h       | 2 +-
 content/canvas/src/WebGLContextDraw.cpp | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/content/canvas/src/WebGLContext.h b/content/canvas/src/WebGLContext.h
index 1c18b385a03d..4de22b2b1896 100644
--- a/content/canvas/src/WebGLContext.h
+++ b/content/canvas/src/WebGLContext.h
@@ -890,7 +890,7 @@ private:
     bool DrawArrays_check(GLint first, GLsizei count, GLsizei primcount, const char* info);
     bool DrawElements_check(GLsizei count, GLenum type, WebGLintptr byteOffset,
                             GLsizei primcount, const char* info,
-                            GLuint* out_upperBound = nullptr);
+                            GLuint* out_upperBound);
     bool DrawInstanced_check(const char* info);
     void Draw_cleanup();
 
diff --git a/content/canvas/src/WebGLContextDraw.cpp b/content/canvas/src/WebGLContextDraw.cpp
index fbef5b7554e0..dc1fea8bed7b 100644
--- a/content/canvas/src/WebGLContextDraw.cpp
+++ b/content/canvas/src/WebGLContextDraw.cpp
@@ -333,7 +333,9 @@ WebGLContext::DrawElementsInstanced(GLenum mode, GLsizei count, GLenum type,
     if (!ValidateDrawModeEnum(mode, "drawElementsInstanced: mode"))
         return;
 
-    if (!DrawElements_check(count, type, byteOffset, primcount, "drawElementsInstanced"))
+    GLuint upperBound = 0;
+    if (!DrawElements_check(count, type, byteOffset, primcount, "drawElementsInstanced",
+                            &upperBound))
         return;
 
     RunContextLossTimer();