[webkit-changes] [WebKit/WebKit] b5b06c: [GPU Process]: Before decoding FEColorMatrix valid...

Tue, 16 Jun 2026 11:31:32 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b5b06c0fc266fbe80ac09bd769f0557e0a6fc8f0
      
https://github.com/WebKit/WebKit/commit/b5b06c0fc266fbe80ac09bd769f0557e0a6fc8f0
  Author: Said Abou-Hallawa <[email protected]>
  Date:   2026-06-16 (Tue, 16 Jun 2026)

  Changed paths:
    A LayoutTests/ipc/fecolormatrix-type-values-mismatch-crash-expected.txt
    A LayoutTests/ipc/fecolormatrix-type-values-mismatch-crash.html
    M Source/WebCore/platform/graphics/filters/FEColorMatrix.cpp
    M Source/WebCore/platform/graphics/filters/FEColorMatrix.h
    M Source/WebCore/svg/SVGFEColorMatrixElement.cpp
    M Source/WebCore/svg/SVGFEColorMatrixElement.h
    M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in

  Log Message:
  -----------
  [GPU Process]: Before decoding FEColorMatrix validate the length of the 
`values` vector
https://bugs.webkit.org/show_bug.cgi?id=309868
rdar://172397794

Reviewed by Kimmo Kinnunen.

SVGFEColorMatrixElement checks the length of `values` attribute before creating
the FEColorMatrix. Similarly the IPC should check the length of decoded `values`
before creating the FEColorMatrix. In both cases the `type` attribute should be
used to decide whether the length of `values` is valid or not.

Test: ipc/fecolormatrix-type-values-mismatch-crash.html

* LayoutTests/ipc/fecolormatrix-type-values-mismatch-crash-expected.txt: Added.
* LayoutTests/ipc/fecolormatrix-type-values-mismatch-crash.html: Added.
* Source/WebCore/platform/graphics/filters/FEColorMatrix.cpp:
(WebCore::FEColorMatrix::create):
(WebCore::FEColorMatrix::areValuesValidForType):
* Source/WebCore/platform/graphics/filters/FEColorMatrix.h:
* Source/WebCore/svg/SVGFEColorMatrixElement.cpp:
(WebCore::SVGFEColorMatrixElement::svgAttributeChanged):
(WebCore::SVGFEColorMatrixElement::createFilterEffect const):
(WebCore::SVGFEColorMatrixElement::isInvalidValuesLength const): Deleted.
* Source/WebCore/svg/SVGFEColorMatrixElement.h:
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:

Originally-landed-as: 305413.505@rapid/safari-7624.2.5.110-branch 
(ec665bbbbe8b). rdar://176062410
Canonical link: https://commits.webkit.org/315306@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to