Bug 211539

Summary: SIGILL @ WebCore::Shape::createRasterShape -- DOS ASAN
Product: WebKit Reporter: Pinki Gyanchandani <pgyanchandani>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, changseok, esprehn+autocc, ews-watchlist, ggaren, glenn, kondapallykalyan, pdr, simon.fraser, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch none

Pinki Gyanchandani
Reported 2020-05-06 16:47:02 PDT
The crash is happening in Shape::createRasterShape function. This is a release assert RELEASE_ASSERT(imageData && imageData->data()); in code. The reason for crash is because ImageData::create returns NULL, because dataSize.hasOverFlowed() is TRUE. In the failure case intRect size, width is huge value and when its multiplied with dataSize (=4) and height, that results in overflow.
Attachments
Patch (9.81 KB, patch)
2020-05-06 17:57 PDT, Pinki Gyanchandani 		no flags
DetailsFormatted DiffDiff
Patch (10.82 KB, patch)
2020-05-07 16:19 PDT, Pinki Gyanchandani 		no flags
DetailsFormatted DiffDiff
Patch (10.78 KB, patch)
2020-05-08 10:38 PDT, Pinki Gyanchandani 		no flags
DetailsFormatted DiffDiff
Patch (1.82 KB, patch)
2020-05-08 11:00 PDT, Pinki Gyanchandani 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Pinki Gyanchandani
Comment 1 2020-05-06 17:57:43 PDT
Created attachment 398689 [details] Patch
Simon Fraser (smfr)
Comment 2 2020-05-07 10:34:38 PDT
Comment on attachment 398689 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=398689&action=review > Source/WebCore/rendering/shapes/Shape.cpp:196 > + // RELEASE_ASSERT(imageData && imageData->data()); Please don't check in commented out code. > Source/WebCore/rendering/shapes/Shape.cpp:197 > + if (imageData && imageData->data()) { Make this an early return.
Geoffrey Garen
Comment 3 2020-05-07 10:46:13 PDT
Comment on attachment 398689 [details] Patch To enable early returns, you can put this code: auto rasterShape = makeUnique<RasterShape>(WTFMove(intervals), marginRect.size()); rasterShape->m_writingMode = writingMode; rasterShape->m_margin = margin; return rasterShape; in a local lambda like so: auto createShape = [](WritingMode writingMode, float margin) { auto rasterShape = makeUnique<RasterShape>(WTFMove(intervals), marginRect.size()); rasterShape->m_writingMode = writingMode; rasterShape->m_margin = margin; return rasterShape; }; if (!condition) return createShape(writingMode, margin); You should make the existing "if (imageBuffer)" check an early return too, for consistency.
Pinki Gyanchandani
Comment 4 2020-05-07 16:19:37 PDT
Created attachment 398809 [details] Patch
Geoffrey Garen
Comment 5 2020-05-07 18:52:40 PDT
Comment on attachment 398809 [details] Patch r=me
EWS
Comment 6 2020-05-07 18:54:35 PDT
Committed r261363: <https://trac.webkit.org/changeset/261363> All reviewed patches have been landed. Closing bug and clearing flags on attachment 398809 [details].
Simon Fraser (smfr)
Comment 7 2020-05-07 19:56:57 PDT
Comment on attachment 398809 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=398809&action=review > Source/WebCore/rendering/shapes/Shape.cpp:204 > + // Removing the Release Assert, as we could get to a value where imageData could be nullptr. A case where > + // ImageRect.size() is huge, imageData::create can return a nullptr because data size has overflowed. > + // Refer rdar://problem/61793884 This comment about removing the Release Assert should be removed.
Pinki Gyanchandani
Comment 8 2020-05-08 10:37:05 PDT
re-opening to incorporate the final comment from Simon Fraser, on correcting the comment.
Pinki Gyanchandani
Comment 9 2020-05-08 10:38:26 PDT
Created attachment 398875 [details] Patch
Pinki Gyanchandani
Comment 10 2020-05-08 11:00:25 PDT
Created attachment 398876 [details] Patch
EWS
Comment 11 2020-05-08 11:36:36 PDT
Committed r261400: <https://trac.webkit.org/changeset/261400> All reviewed patches have been landed. Closing bug and clearing flags on attachment 398876 [details].
Note You need to log in before you can comment on or make changes to this bug.