Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 97d27fbddaca8412e0370afd58185195d60ec66e
https://github.com/WebKit/WebKit/commit/97d27fbddaca8412e0370afd58185195d60ec66e
Author: Ruthvik Konda <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
A LayoutTests/ipc/decode-feConvolveMatrix-kernelSize-overflow-expected.txt
A LayoutTests/ipc/decode-feConvolveMatrix-kernelSize-overflow.html
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Fix integer overflow during FEConvolveMatrix IPC decoder validator
https://bugs.webkit.org/show_bug.cgi?id=300303
rdar://161647030
Reviewed by Mike Wyrzykowski.
In the IPC decoder validator for FEConvolveMatrix, the kernelSize()->area()
overflows if given large width and height values. This causes a crash in GPUP.
The fix is to use unclampedArea() which will never overflow.
The fuzzer test case is altered slightly to consume the DidInitialize message
that gets sent back to WebContent to prevent it from reaching the dummy
MessageReceiver
and hitting ASSERT_NOT_REACHED()
Test: ipc/decode-feConvolveMatrix-kernelSize-overflow.html
* LayoutTests/ipc/decode-feConvolveMatrix-kernelSize-overflow-expected.txt:
Added.
* LayoutTests/ipc/decode-feConvolveMatrix-kernelSize-overflow.html: Added.
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
Canonical link: https://commits.webkit.org/301246@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
