Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3cfb6575ec08a8458894f6323ab09cd03e2475a0
https://github.com/WebKit/WebKit/commit/3cfb6575ec08a8458894f6323ab09cd03e2475a0
Author: Chirag M Shah <[email protected]>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
A
LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash-expected.txt
A LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash.html
M Source/WebCore/platform/graphics/filters/FEConvolveMatrix.cpp
M
Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp
M
Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h
M Source/WebCore/svg/SVGFEConvolveMatrixElement.cpp
M Source/WebCore/svg/SVGFEConvolveMatrixElement.h
Log Message:
-----------
Fix buffer overflow in FEConvolveMatrixSoftwareApplier
https://bugs.webkit.org/show_bug.cgi?id=253721
rdar://109800117
Reviewed by Said Abou-Hallawa.
This change fixes a buffer overflow issue in the
FEConvolveMatrixSoftwareApplier code which happens when dealing with the
interior area and setting the destination pixels. This happens because
when the targetX/targetY doesn't fit in the convolution kernel, we don't
clip it, and that ends up moving the pixel offset by more than what is
needed. This change fixes that by making sure that when the SVG
attribute changes, we detect the invalid offset and rebuild the filter.
*
LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash-expected.txt:
Added.
* LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash.html:
Added.
* Source/WebCore/platform/graphics/filters/FEConvolveMatrix.cpp:
(WebCore::FEConvolveMatrix::FEConvolveMatrix):
*
Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp:
(WebCore::FEConvolveMatrixSoftwareApplier::FEConvolveMatrixSoftwareApplier):
*
Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h:
* Source/WebCore/svg/SVGFEConvolveMatrixElement.cpp:
(WebCore::SVGFEConvolveMatrixElement::isValidTargetXOffset const):
(WebCore::SVGFEConvolveMatrixElement::isValidTargetYOffset const):
(WebCore::SVGFEConvolveMatrixElement::svgAttributeChanged):
(WebCore::SVGFEConvolveMatrixElement::createFilterEffect const):
* Source/WebCore/svg/SVGFEConvolveMatrixElement.h:
Originally-landed-as: 259548.425@safari-7615-branch (499c0bf6a8a9).
rdar://97909186
Canonical link: https://commits.webkit.org/264527@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
