[webkit-changes] [WebKit/WebKit] 59e4b7: Crash happens when applying filter and drawing tex...

Tue, 10 Sep 2024 17:45:19 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 59e4b7c01999eaea1db9614660906c0ca6b57c34
      
https://github.com/WebKit/WebKit/commit/59e4b7c01999eaea1db9614660906c0ca6b57c34
  Author: Said Abou-Hallawa <[email protected]>
  Date:   2024-09-10 (Tue, 10 Sep 2024)

  Changed paths:
    A LayoutTests/fast/canvas/canvas-filter-text-drawing-expected.html
    A LayoutTests/fast/canvas/canvas-filter-text-drawing.html
    A LayoutTests/fast/canvas/canvas-layer-filter-text-drawing-expected.html
    A LayoutTests/fast/canvas/canvas-layer-filter-text-drawing.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp

  Log Message:
  -----------
  Crash happens when applying filter and drawing text in 2D canvas
https://bugs.webkit.org/show_bug.cgi?id=279348
rdar://135455808

Reviewed by Simon Fraser.

CanvasRenderingContext2DBase::drawTextUnchecked() calls fontProxy() which 
returns
a pointer to state().font. Then drawTextUnchecked() calls save() through
CanvasFilterContextSwitcher::create(). This save() appends a new state to
m_stateStack. Vector::append() may reallocate its buffer. Reallocating the 
buffer
will make the pointer to fontProxy() invalid. This causes a crash when accessing
the members of fontProxy.

To fix this make sure, CanvasRenderingContext2D::fontProxy() is called after
calling CanvasFilterContextSwitcher::create().

* LayoutTests/fast/canvas/canvas-filter-text-drawing-expected.html: Added.
* LayoutTests/fast/canvas/canvas-filter-text-drawing.html: Added.
* LayoutTests/fast/canvas/canvas-layer-filter-text-drawing-expected.html: Added.
* LayoutTests/fast/canvas/canvas-layer-filter-text-drawing.html: Added.
* LayoutTests/platform/glib/TestExpectations:
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::drawTextUnchecked):

Canonical link: https://commits.webkit.org/283451@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to