Bug 211539

Summary: SIGILL @ WebCore::Shape::createRasterShape -- DOS ASAN
Product: WebKit Reporter: Pinki Gyanchandani <pgyanchandani>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, changseok, esprehn+autocc, ews-watchlist, ggaren, glenn, kondapallykalyan, pdr, simon.fraser, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch none

Description Pinki Gyanchandani 2020-05-06 16:47:02 PDT 
The crash is happening in Shape::createRasterShape function. This is a release assert RELEASE_ASSERT(imageData && imageData->data()); in code. 

The reason for crash is because ImageData::create returns NULL, because dataSize.hasOverFlowed() is TRUE. 

In the failure case intRect  size, width is huge value and when its multiplied with dataSize (=4) and height, that results in overflow.
Comment 1 Pinki Gyanchandani 2020-05-06 17:57:43 PDT 
Created attachment 398689 [details]
Patch
Comment 2 Simon Fraser (smfr) 2020-05-07 10:34:38 PDT 
Comment on attachment 398689 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=398689&action=review

> Source/WebCore/rendering/shapes/Shape.cpp:196
> +        // RELEASE_ASSERT(imageData && imageData->data());

Please don't check in commented out code.

> Source/WebCore/rendering/shapes/Shape.cpp:197
> +        if (imageData && imageData->data()) {

Make this an early return.
Comment 3 Geoffrey Garen 2020-05-07 10:46:13 PDT 
Comment on attachment 398689 [details]
Patch

To enable early returns, you can put this code:

    auto rasterShape = makeUnique<RasterShape>(WTFMove(intervals), marginRect.size());
    rasterShape->m_writingMode = writingMode;
    rasterShape->m_margin = margin;
    return rasterShape;

in a local lambda like so:

auto createShape = [](WritingMode writingMode, float margin) {
    auto rasterShape = makeUnique<RasterShape>(WTFMove(intervals), marginRect.size());
    rasterShape->m_writingMode = writingMode;
    rasterShape->m_margin = margin;
    return rasterShape;
};

if (!condition)
    return createShape(writingMode, margin);

You should make the existing "if (imageBuffer)" check an early return too, for consistency.
Comment 4 Pinki Gyanchandani 2020-05-07 16:19:37 PDT 
Created attachment 398809 [details]
Patch
Comment 5 Geoffrey Garen 2020-05-07 18:52:40 PDT 
Comment on attachment 398809 [details]
Patch

r=me
Comment 6 EWS 2020-05-07 18:54:35 PDT 
Committed r261363: <https://trac.webkit.org/changeset/261363>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 398809 [details].
Comment 7 Simon Fraser (smfr) 2020-05-07 19:56:57 PDT 
Comment on attachment 398809 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=398809&action=review

> Source/WebCore/rendering/shapes/Shape.cpp:204
> +    // Removing the Release Assert, as we could get to a value where imageData could be nullptr. A case where
> +    // ImageRect.size() is huge, imageData::create can return a nullptr because data size has overflowed.
> +    // Refer rdar://problem/61793884

This comment about removing the Release Assert should be removed.
Comment 8 Pinki Gyanchandani 2020-05-08 10:37:05 PDT 
re-opening to incorporate the final comment from Simon Fraser, on correcting the comment.
Comment 9 Pinki Gyanchandani 2020-05-08 10:38:26 PDT 
Created attachment 398875 [details]
Patch
Comment 10 Pinki Gyanchandani 2020-05-08 11:00:25 PDT 
Created attachment 398876 [details]
Patch
Comment 11 EWS 2020-05-08 11:36:36 PDT 
Committed r261400: <https://trac.webkit.org/changeset/261400>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 398876 [details].