Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 88ab9e1efc4a43e8065a042bb666fdaf536feb51
https://github.com/WebKit/WebKit/commit/88ab9e1efc4a43e8065a042bb666fdaf536feb51
Author: Zak Ridouh <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/ipc/feComponentTransfer-empty-tableValues-accelerated-expected.txt
A LayoutTests/ipc/feComponentTransfer-empty-tableValues-accelerated.html
M
Source/WebCore/platform/graphics/coreimage/FEComponentTransferCoreImageApplier.mm
Log Message:
-----------
[CoreIPC] [GPUP] FEComponentTransfer CoreImage Metal kernel can read past
bounds with empty tableValues
<https://bugs.webkit.org/show_bug.cgi?id=314461>
<rdar://174740239>
Reviewed by Simon Fraser.
A compromised WebContent process can send DrawFilteredImageBuffer with an
SVGFilterRenderer that selects FilterRenderingMode::Accelerated and carries an
FEComponentTransfer whose Table or Discrete transfer function has an empty
tableValues vector. The CoreImage applier propagated tableLength = 0 to the
Metal kernel, whose Table/Discrete branches computed the table index as
min((int)(component * n), n - 1) with no lower clamp, yielding k = -1 and
dereferencing tableStart[-1] inside CoreImage's stitched argument buffer. The
result was rendered to an IOSurface readable by the WebContent process.
The software path in FEComponentTransfer::computeLookupTable() guards this with
"if (n < 1) return;" but the CoreImage path never adopted that guard.
Fix this in two places:
- In applyOther(), treat an empty tableValues for a Table/Discrete channel as
Identity, matching the software path.
- In the Metal kernel, clamp the table index to [0, n - 1] / [0, n] so a
negative input component (extended-range pixels) cannot drive a negative
index either.
Test: ipc/feComponentTransfer-empty-tableValues-accelerated.html
*
LayoutTests/ipc/feComponentTransfer-empty-tableValues-accelerated-expected.txt:
Added.
* LayoutTests/ipc/feComponentTransfer-empty-tableValues-accelerated.html: Added.
*
Source/WebCore/platform/graphics/coreimage/FEComponentTransferCoreImageApplier.mm:
(WebCore::compontentTransferKernel):
Originally-landed-as: 305413.914@safari-7624-branch (b63cccc1753d).
rdar://180429219
Canonical link: https://commits.webkit.org/316461@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications