Bug 158761

Summary: decompose4 return value is unchecked, leading to potentially uninitialized data.
Product: WebKit Reporter: Dean Jackson <dino>
Component: New BugsAssignee: Dean Jackson <dino>
Status: REOPENED    
Severity: Normal CC: commit-queue
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=158816
Bug Depends on: 158896    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch simon.fraser: review+

Dean Jackson
Reported 2016-06-14 15:09:05 PDT
decompose4 return value is unchecked, leading to potentially uninitialized data.
Attachments
Patch (6.91 KB, patch)
2016-06-14 15:16 PDT, Dean Jackson 		no flags
DetailsFormatted DiffDiff
Patch (7.99 KB, patch)
2016-06-14 15:39 PDT, Dean Jackson 		simon.fraser: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Dean Jackson
Comment 1 2016-06-14 15:13:12 PDT
<rdar://problem/17526268> WebCore::decompose4 returns early (false) without initializing its result argument. Various clients of this method accept the return value without checking the result, using uninitialized memory to perform blending and other calculations.
Dean Jackson
Comment 2 2016-06-14 15:16:36 PDT
Created attachment 281289 [details] Patch
Simon Fraser (smfr)
Comment 3 2016-06-14 15:27:22 PDT
Comment on attachment 281289 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=281289&action=review > Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp:366 > + memset(&result, 0, sizeof(result)); > + result.perspectiveW = 1; > + result.scaleX = 1; > + result.scaleY = 1; > + result.scaleZ = 1; Should we just give Decomposed4Type some initializers?
Dean Jackson
Comment 4 2016-06-14 15:39:32 PDT
Created attachment 281291 [details] Patch
Dean Jackson
Comment 5 2016-06-14 15:46:07 PDT
Committed r202068: <http://trac.webkit.org/changeset/202068>
Alexey Proskuryakov
Comment 6 2016-06-17 20:25:40 PDT
The test still times out a lot, can't keep tests so unstable. Will roll out.
WebKit Commit Bot
Comment 7 2016-06-17 20:27:38 PDT
Re-opened since this is blocked by bug 158896
Alexey Proskuryakov
Comment 8 2016-06-17 20:30:24 PDT
Rolled out in <https://trac.webkit.org/r202195>.
Note You need to log in before you can comment on or make changes to this bug.