Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 15cc8962394fa5f0ebb029ff188f47f07d841360
https://github.com/WebKit/WebKit/commit/15cc8962394fa5f0ebb029ff188f47f07d841360
Author: Kimmo Kinnunen <kkinnu...@apple.com>
Date: 2025-02-03 (Mon, 03 Feb 2025)
Changed paths:
M Source/WebCore/Headers.cmake
M Source/WebCore/Sources.txt
M Source/WebCore/WebCore.xcodeproj/project.pbxproj
M Source/WebCore/platform/graphics/BifurcatedGraphicsContext.cpp
M Source/WebCore/platform/graphics/BifurcatedGraphicsContext.h
M Source/WebCore/platform/graphics/DashArray.h
A Source/WebCore/platform/graphics/FloatSegment.cpp
A Source/WebCore/platform/graphics/FloatSegment.h
M Source/WebCore/platform/graphics/FontCascade.cpp
M Source/WebCore/platform/graphics/FontCascade.h
M Source/WebCore/platform/graphics/GraphicsContext.cpp
M Source/WebCore/platform/graphics/GraphicsContext.h
M Source/WebCore/platform/graphics/NullGraphicsContext.h
M Source/WebCore/platform/graphics/cairo/CairoOperationRecorder.cpp
M Source/WebCore/platform/graphics/cairo/CairoOperationRecorder.h
M Source/WebCore/platform/graphics/cairo/CairoOperations.cpp
M Source/WebCore/platform/graphics/cairo/CairoOperations.h
M Source/WebCore/platform/graphics/cairo/GraphicsContextCairo.cpp
M Source/WebCore/platform/graphics/cairo/GraphicsContextCairo.h
M Source/WebCore/platform/graphics/cg/GraphicsContextCG.cpp
M Source/WebCore/platform/graphics/cg/GraphicsContextCG.h
M Source/WebCore/platform/graphics/displaylists/DisplayListItems.cpp
M Source/WebCore/platform/graphics/displaylists/DisplayListItems.h
M Source/WebCore/platform/graphics/displaylists/DisplayListRecorderImpl.cpp
M Source/WebCore/platform/graphics/displaylists/DisplayListRecorderImpl.h
M Source/WebCore/platform/graphics/skia/GraphicsContextSkia.cpp
M Source/WebCore/platform/graphics/skia/GraphicsContextSkia.h
M Source/WebCore/platform/mock/MockRealtimeVideoSource.h
M Source/WebCore/rendering/TextDecorationPainter.cpp
M Source/WebKit/Shared/DisplayListArgumentCoders.serialization.in
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h
M Tools/TestWebKitAPI/CMakeLists.txt
M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
A Tools/TestWebKitAPI/Tests/WebCore/FloatSegmentTest.cpp
M Tools/TestWebKitAPI/WebCoreTestUtilities.h
Log Message:
-----------
GraphicsContext::drawLinesForText might read out of bounds
https://bugs.webkit.org/show_bug.cgi?id=286570
rdar://143270489
Reviewed by Antti Koivisto.
A compromised WCP could send width array with uneven amount of elements
to GraphicsContext::drawLinesForText(). This would cause out-of-bounds
read, as drawLinesForText expects [begin, end] pairs of line segments.
The root cause is that the function used incorrect type DashArray
to pass the line segments. DashArray is a type to pass doubles
that represent lengths relative to previous elements. When used
correctly DashArray [5,6,7] would encode segment list [{0, 5}, {11, 18}].
Note, that the implementation did not use DashArray this way.
Fix by introducing FloatSegment and pass Vector<FloatSegment> instead
of DashArray.
This fixes following issues:
- Avoid passing doubles. The source algorithm works
with floats, so sending doubles is redundant.
- Avoid conversion from float pair array to float array in the source
algorithm. The source algorithm already works with float pairs.
Since the change of types touches all of the lines in the source
algorithm, do also following:
- Simplify source algorithm
- Avoid copies of the vectors in the source algorithm
Source algorithm would do following full passes:
1. Dilate intersection line segments
2. Sort interections along segment begin
3. Merge overlapping intersection segments
4. Compute difference between a solid line and intersections
Instead, do following full passes:
1. Sort intersections along segment begin
2. Compute difference between a solid line and intersections, with
intersections dilated.
The difference can be computed with overlapping intersections, overlaps
do not affect the result.
For GraphicsContext functions:
- Pass std::span<const FloatSegment> instead of Vector<FloatSegment>,
as the callee does not need to use Vector functionality anywhere.
- Pass span as value, because it's small and this prevents pointer
chasing.
- Fix few .reserveInitialCapacity() size calculations, previously
tried to always reserve 0.
- Share the rect conversion implementation with Skia port. Skia had
buggy variant of of the rect conversion algorithm cut-pasted from
CG variant before CG variant was improved.
Remove all default arguments from GraphicsContext::drawLinesForText().
It is poor style to have default arguments for virtual functions, as
then all overrrides need to replicate them in order to guarantee
consistent invocation through derived type pointer. The callers did
not use the default arguments.
* Source/WebCore/Sources.txt:
* Source/WebCore/WebCore.xcodeproj/project.pbxproj:
* Source/WebCore/platform/graphics/BifurcatedGraphicsContext.cpp:
(WebCore::BifurcatedGraphicsContext::drawLinesForText):
* Source/WebCore/platform/graphics/BifurcatedGraphicsContext.h:
* Source/WebCore/platform/graphics/DashArray.h:
* Source/WebCore/platform/graphics/FloatSegment.cpp: Copied from
Source/WebCore/platform/graphics/DashArray.h.
(WebCore::operator<<):
* Source/WebCore/platform/graphics/FloatSegment.h: Added.
(WebCore::FloatSegment::length const):
(WebCore::FloatSegment::dilate):
(WebCore::differenceWithDilation):
* Source/WebCore/platform/graphics/FontCascade.cpp:
(WebCore::FontCascade::lineSpansForIntersectionsWithRect const):
(WebCore::FontCascade::dashesForIntersectionsWithRect const): Deleted.
* Source/WebCore/platform/graphics/FontCascade.h:
* Source/WebCore/platform/graphics/GraphicsContext.cpp:
(WebCore::GraphicsContext::drawLineForText):
(WebCore::GraphicsContext::computeRectsAndStrokeColorForLinesForText):
* Source/WebCore/platform/graphics/GraphicsContext.h:
* Source/WebCore/platform/graphics/NullGraphicsContext.h:
* Source/WebCore/platform/graphics/cairo/CairoOperationRecorder.cpp:
(WebCore::Cairo::OperationRecorder::drawLinesForText):
* Source/WebCore/platform/graphics/cairo/CairoOperationRecorder.h:
* Source/WebCore/platform/graphics/cairo/CairoOperations.cpp:
(WebCore::Cairo::drawLinesForText):
* Source/WebCore/platform/graphics/cairo/CairoOperations.h:
* Source/WebCore/platform/graphics/cairo/GraphicsContextCairo.cpp:
(WebCore::GraphicsContextCairo::drawLinesForText):
* Source/WebCore/platform/graphics/cairo/GraphicsContextCairo.h:
* Source/WebCore/platform/graphics/cg/GraphicsContextCG.cpp:
(WebCore::GraphicsContextCG::drawLinesForText):
* Source/WebCore/platform/graphics/cg/GraphicsContextCG.h:
* Source/WebCore/platform/graphics/displaylists/DisplayListItems.cpp:
(WebCore::DisplayList::DrawLinesForText::DrawLinesForText):
(WebCore::DisplayList::DrawLinesForText::apply const):
(WebCore::DisplayList::DrawLinesForText::dump const):
* Source/WebCore/platform/graphics/displaylists/DisplayListItems.h:
(WebCore::DisplayList::DrawLinesForText::lineSegments const):
(WebCore::DisplayList::DrawLinesForText::widths const): Deleted.
* Source/WebCore/platform/graphics/displaylists/DisplayListRecorderImpl.cpp:
(WebCore::DisplayList::RecorderImpl::drawLinesForText):
* Source/WebCore/platform/graphics/displaylists/DisplayListRecorderImpl.h:
* Source/WebCore/platform/graphics/skia/GraphicsContextSkia.cpp:
(WebCore::GraphicsContextSkia::drawLinesForText):
* Source/WebCore/rendering/TextDecorationPainter.cpp:
(WebCore::TextDecorationPainter::paintBackgroundDecorations):
(WebCore::compareTuples): Deleted.
(WebCore::translateIntersectionPointsToSkipInkBoundaries): Deleted.
* Source/WebKit/Shared/DisplayListArgumentCoders.serialization.in:
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp:
(WebKit::RemoteDisplayListRecorderProxy::drawLinesForText):
* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h:
* Source/WebKit/WebProcess/WebPage/IPCTestingAPI.cpp:
* Tools/TestWebKitAPI/CMakeLists.txt:
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WebCore/FloatSegmentTest.cpp: Added.
(TestWebKitAPI::TEST(FloatSegment, DilateWithDifference)):
Canonical link: https://commits.webkit.org/289737@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
