[webkit-changes] [271583] trunk

Mon, 18 Jan 2021 12:13:12 -0800

Title: [271583] trunk
Revision
271583
Author
[email protected]
Date
2021-01-18 12:13:02 -0800 (Mon, 18 Jan 2021)

Log Message

createImageBitmap() causes null pointer dereference using Cairo lib
https://bugs.webkit.org/show_bug.cgi?id=220584

Reviewed by Carlos Garcia Campos.

Source/WebCore:

createImageBitmap(ImageData) creates an internal ImageBuffer with
the same size of the given ImageData. Cairo port has the
limitation to maximum width/height of ImageBuffer as 32768. It
fails to create the internal ImageBuffer if the ImageData size is
greater than 32768. Added a null-checking for the case.

Test: fast/images/createImageBitmap-with-ImageData.html

* html/ImageBitmap.cpp:
(WebCore::ImageBitmap::createPromise): Added a null-checking for
tempBitmapData. Call resolveWithBlankImageBuffer in the case.
* platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp:
(WebCore::ImageBufferCairoImageSurfaceBackend::create): Check the
cairo_surface_status of 'surface' to avoid the assertion failure
in ImageBufferCairoImageSurfaceBackend ctor.

LayoutTests:

* fast/images/createImageBitmap-with-ImageData-expected.txt: Added.
* fast/images/createImageBitmap-with-ImageData.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (271582 => 271583)


--- trunk/LayoutTests/ChangeLog	2021-01-18 19:41:11 UTC (rev 271582)
+++ trunk/LayoutTests/ChangeLog	2021-01-18 20:13:02 UTC (rev 271583)
@@ -1,3 +1,13 @@
+2021-01-18  Fujii Hironori  <[email protected]>
+
+        createImageBitmap() causes null pointer dereference using Cairo lib
+        https://bugs.webkit.org/show_bug.cgi?id=220584
+
+        Reviewed by Carlos Garcia Campos.
+
+        * fast/images/createImageBitmap-with-ImageData-expected.txt: Added.
+        * fast/images/createImageBitmap-with-ImageData.html: Added.
+
 2021-01-18  Youenn Fablet  <[email protected]>
 
         [ Mac WK1 ] REGRESSION (r239145) Layout Test http/wpt/mediarecorder/MediaRecorder-dataavailable.html is flaky text diff failure

Added: trunk/LayoutTests/fast/images/createImageBitmap-with-ImageData-expected.txt (0 => 271583)


--- trunk/LayoutTests/fast/images/createImageBitmap-with-ImageData-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/images/createImageBitmap-with-ImageData-expected.txt	2021-01-18 20:13:02 UTC (rev 271583)
@@ -0,0 +1,13 @@
+Test the maximum ImageBitmap sizes of Cairo port
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS imageBitmap.width is 1
+PASS imageBitmap.width is 1
+PASS imageBitmap.height is 1
+PASS imageBitmap.height is 1
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/images/createImageBitmap-with-ImageData.html (0 => 271583)


--- trunk/LayoutTests/fast/images/createImageBitmap-with-ImageData.html	                        (rev 0)
+++ trunk/LayoutTests/fast/images/createImageBitmap-with-ImageData.html	2021-01-18 20:13:02 UTC (rev 271583)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <script src=""
+        <script>
+            description("Test the maximum ImageBitmap sizes of Cairo port");
+            _onload_ = async () => {
+                var data = "" ImageData(32768, 1);
+                imageBitmap = await createImageBitmap(data, { resizeWidth: 1 });
+                shouldBe("imageBitmap.width", "1");
+                data = "" ImageData(1, 32769);
+                imageBitmap = await createImageBitmap(data, { resizeWidth: 1 });
+                shouldBe("imageBitmap.width", "1");
+                data = "" ImageData(1, 32768);
+                imageBitmap = await createImageBitmap(data, { resizeHeight: 1 });
+                shouldBe("imageBitmap.height", "1");
+                data = "" ImageData(1, 32769);
+                imageBitmap = await createImageBitmap(data, { resizeHeight: 1 });
+                shouldBe("imageBitmap.height", "1");
+            }
+        </script>
+    </head>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (271582 => 271583)


--- trunk/Source/WebCore/ChangeLog	2021-01-18 19:41:11 UTC (rev 271582)
+++ trunk/Source/WebCore/ChangeLog	2021-01-18 20:13:02 UTC (rev 271583)
@@ -1,3 +1,26 @@
+2021-01-18  Fujii Hironori  <[email protected]>
+
+        createImageBitmap() causes null pointer dereference using Cairo lib
+        https://bugs.webkit.org/show_bug.cgi?id=220584
+
+        Reviewed by Carlos Garcia Campos.
+
+        createImageBitmap(ImageData) creates an internal ImageBuffer with
+        the same size of the given ImageData. Cairo port has the
+        limitation to maximum width/height of ImageBuffer as 32768. It
+        fails to create the internal ImageBuffer if the ImageData size is
+        greater than 32768. Added a null-checking for the case.
+
+        Test: fast/images/createImageBitmap-with-ImageData.html
+
+        * html/ImageBitmap.cpp:
+        (WebCore::ImageBitmap::createPromise): Added a null-checking for
+        tempBitmapData. Call resolveWithBlankImageBuffer in the case.
+        * platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp:
+        (WebCore::ImageBufferCairoImageSurfaceBackend::create): Check the
+        cairo_surface_status of 'surface' to avoid the assertion failure
+        in ImageBufferCairoImageSurfaceBackend ctor.
+
 2021-01-18  Zalan Bujtas  <[email protected]>
 
         [LFC][Integration] Disable inline boxes with outline

Modified: trunk/Source/WebCore/html/ImageBitmap.cpp (271582 => 271583)


--- trunk/Source/WebCore/html/ImageBitmap.cpp	2021-01-18 19:41:11 UTC (rev 271582)
+++ trunk/Source/WebCore/html/ImageBitmap.cpp	2021-01-18 20:13:02 UTC (rev 271583)
@@ -820,6 +820,10 @@
     // 6.3. Set imageBitmap's bitmap data to image's image data, cropped to the
     //      source rectangle with formatting.
     auto tempBitmapData = createImageBuffer(scriptExecutionContext, imageData->size(), bufferRenderingMode);
+    if (!tempBitmapData) {
+        resolveWithBlankImageBuffer(scriptExecutionContext, true, WTFMove(promise));
+        return;
+    }
     tempBitmapData->putImageData(AlphaPremultiplication::Unpremultiplied, *imageData, IntRect(0, 0, imageData->width(), imageData->height()), { }, alphaPremultiplication);
     FloatRect destRect(FloatPoint(), outputSize);
     bitmapData->context().drawImageBuffer(*tempBitmapData, destRect, sourceRectangle.releaseReturnValue(), { interpolationQualityForResizeQuality(options.resizeQuality), imageOrientationForOrientation(options.imageOrientation) });

Modified: trunk/Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp (271582 => 271583)


--- trunk/Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp	2021-01-18 19:41:11 UTC (rev 271582)
+++ trunk/Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp	2021-01-18 20:13:02 UTC (rev 271583)
@@ -60,6 +60,8 @@
     cairo_surface_set_user_data(surface.get(), &s_surfaceDataKey, surfaceData, [](void* data) {
         fastFree(data);
     });
+    if (cairo_surface_status(surface.get()) != CAIRO_STATUS_SUCCESS)
+        return nullptr;
 
     return std::unique_ptr<ImageBufferCairoImageSurfaceBackend>(new ImageBufferCairoImageSurfaceBackend(parameters, WTFMove(surface)));
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to