[webkit-changes] [215632] trunk

[bfulgham]

Title: [215632] trunk

Revision

215632

Author

bfulg...@apple.com

Date

2017-04-21 13:07:07 -0700 (Fri, 21 Apr 2017)

Log Message

Validate vImage arguments
https://bugs.webkit.org/show_bug.cgi?id=171109
Source/WebCore:

rdar://problem/30236606

Patch by Per Arne Vollan <pvol...@apple.com> on 2017-04-21
Reviewed by Brent Fulgham.

When writing data to a canvas context, clip the source rectangle to the data rectangle
to make sure we will not attempt to read data outside of the buffer.

Test: fast/canvas/canvas-crash.html

* html/canvas/CanvasRenderingContext2D.cpp:
(WebCore::CanvasRenderingContext2D::putImageData):

LayoutTests:


Patch by Per Arne Vollan <pvol...@apple.com> on 2017-04-21
Reviewed by Brent Fulgham.

* fast/canvas/canvas-crash-expected.txt: Added.
* fast/canvas/canvas-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp

Added Paths

• trunk/LayoutTests/fast/canvas/canvas-crash-expected.txt
• trunk/LayoutTests/fast/canvas/canvas-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (215631 => 215632)

--- trunk/LayoutTests/ChangeLog	2017-04-21 20:06:09 UTC (rev 215631)
+++ trunk/LayoutTests/ChangeLog	2017-04-21 20:07:07 UTC (rev 215632)
@@ -1,3 +1,13 @@
+2017-04-21  Per Arne Vollan  <pvol...@apple.com>
+
+        Validate vImage arguments
+        https://bugs.webkit.org/show_bug.cgi?id=171109
+
+        Reviewed by Brent Fulgham.
+
+        * fast/canvas/canvas-crash-expected.txt: Added.
+        * fast/canvas/canvas-crash.html: Added.
+
 2017-04-21  Ryan Haddad  <ryanhad...@apple.com>
 
         Mark webrtc/datachannel/bufferedAmountLowThreshold.html as flaky.

Added: trunk/LayoutTests/fast/canvas/canvas-crash-expected.txt (0 => 215632)

--- trunk/LayoutTests/fast/canvas/canvas-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/canvas-crash-expected.txt	2017-04-21 20:07:07 UTC (rev 215632)
@@ -0,0 +1 @@
+PASSED 

Added: trunk/LayoutTests/fast/canvas/canvas-crash.html (0 => 215632)

--- trunk/LayoutTests/fast/canvas/canvas-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/canvas-crash.html	2017-04-21 20:07:07 UTC (rev 215632)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<title>Canvas test: This test passes if it doesn't crash.'</title>
+
+<body>
+
+<a id="a"></a>
+<canvas id="c" class="output" width="100" height="50"></canvas>
+
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function canvastest()
+{
+    var ctx = document.getCSSCanvasContext("2d", "canvastest", 13951, 11138);
+    ctx.putImageData(ctx.getImageData(1431655766, document.getElementById("a").appendChild(document.createElement("media")).clientWidth, 4096, -1024), 128, -65535, 127, -2147483648, 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111, -1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111);
+}
+
+canvastest();
+
+var result = document.getElementById("a");
+result.innerHTML = "PASSED";
+
+</script>
+
+</body>

Modified: trunk/Source/WebCore/ChangeLog (215631 => 215632)

--- trunk/Source/WebCore/ChangeLog	2017-04-21 20:06:09 UTC (rev 215631)
+++ trunk/Source/WebCore/ChangeLog	2017-04-21 20:07:07 UTC (rev 215632)
@@ -1,3 +1,19 @@
+2017-04-21  Per Arne Vollan  <pvol...@apple.com>
+
+        Validate vImage arguments
+        https://bugs.webkit.org/show_bug.cgi?id=171109
+        rdar://problem/30236606
+
+        Reviewed by Brent Fulgham.
+
+        When writing data to a canvas context, clip the source rectangle to the data rectangle
+        to make sure we will not attempt to read data outside of the buffer.
+
+        Test: fast/canvas/canvas-crash.html
+
+        * html/canvas/CanvasRenderingContext2D.cpp:
+        (WebCore::CanvasRenderingContext2D::putImageData):
+
 2017-04-21  David Kilzer  <ddkil...@apple.com>
 
         Switch from -std=gnu++11 to -std=gnu++14 for consistency in DerivedSources.make

Modified: trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp (215631 => 215632)

--- trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp	2017-04-21 20:06:09 UTC (rev 215631)
+++ trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp	2017-04-21 20:07:07 UTC (rev 215632)
@@ -2087,8 +2087,10 @@
         return;
     IntRect sourceRect(destRect);
     sourceRect.move(-destOffset);
+    sourceRect.intersect(IntRect(0, 0, data.width(), data.height()));
 
-    buffer->putByteArray(Unmultiplied, data.data(), IntSize(data.width(), data.height()), sourceRect, IntPoint(destOffset), coordinateSystem);
+    if (!sourceRect.isEmpty())
+        buffer->putByteArray(Unmultiplied, data.data(), IntSize(data.width(), data.height()), sourceRect, IntPoint(destOffset), coordinateSystem);
 
     didDraw(destRect, CanvasDidDrawApplyNone); // ignore transform, shadow and clip
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes