Skip to site navigation (Press enter)

[webkit-changes] [199243] trunk/Source/WebCore

said Fri, 08 Apr 2016 13:08:32 -0700

Title: [199243] trunk/Source/WebCore

Revision: 199243
Author: [email protected]
Date: 2016-04-08 13:07:51 -0700 (Fri, 08 Apr 2016)

Log Message

Timing attack on SVG feComposite filter circumvents same-origin policy
https://bugs.webkit.org/show_bug.cgi?id=154338


Patch by Said Abou-Hallawa <sabouhallawa@apple,com> on 2016-04-08
Reviewed by Oliver Hunt.

Ensure the FEComposite arithmetic filter is clamping the resulted color
components in a constant time.

* platform/graphics/filters/FEComposite.cpp:
(WebCore::clampByte):
(WebCore::computeArithmeticPixels):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/platform/graphics/filters/FEComposite.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (199242 => 199243)


--- trunk/Source/WebCore/ChangeLog	2016-04-08 19:59:25 UTC (rev 199242)
+++ trunk/Source/WebCore/ChangeLog	2016-04-08 20:07:51 UTC (rev 199243)
@@ -1,3 +1,17 @@
+2016-04-08  Said Abou-Hallawa  <sabouhallawa@apple,com>
+
+        Timing attack on SVG feComposite filter circumvents same-origin policy
+        https://bugs.webkit.org/show_bug.cgi?id=154338
+
+        Reviewed by Oliver Hunt.
+
+        Ensure the FEComposite arithmetic filter is clamping the resulted color
+        components in a constant time.
+
+        * platform/graphics/filters/FEComposite.cpp:
+        (WebCore::clampByte):
+        (WebCore::computeArithmeticPixels):
+
 2016-04-08  Brian Burg  <[email protected]>
 
         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses

Modified: trunk/Source/WebCore/platform/graphics/filters/FEComposite.cpp (199242 => 199243)


--- trunk/Source/WebCore/platform/graphics/filters/FEComposite.cpp	2016-04-08 19:59:25 UTC (rev 199242)
+++ trunk/Source/WebCore/platform/graphics/filters/FEComposite.cpp	2016-04-08 20:07:51 UTC (rev 199243)
@@ -120,6 +120,13 @@
 
     forceValidPreMultipliedPixels();
 }
+    
+static unsigned char clampByte(int c)
+{
+    unsigned char buff[] = { static_cast<unsigned char>(c), 255, 0 };
+    unsigned uc = static_cast<unsigned>(c);
+    return buff[!!(uc & ~0xff) + !!(uc & ~(~0u >> 1))];
+}
 
 template <int b1, int b4>
 static inline void computeArithmeticPixels(unsigned char* source, unsigned char* destination, int pixelArrayLength,
@@ -141,12 +148,7 @@
         if (b4)
             result += scaledK4;
 
-        if (result <= 0)
-            *destination = 0;
-        else if (result >= 255)
-            *destination = 255;
-        else
-            *destination = result;
+        *destination = clampByte(result);
         ++source;
         ++destination;
     }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes