Bug 220348

Summary: Nullptr crash in GradientImage::drawPattern
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: ImagesAssignee: Rob Buis <rbuis>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bfulgham, cgarcia, ews-feeder, gpoo, product-security, rbuis, sabouhallawa, simon.fraser, svillar, thorton, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test
none
Reduced testcase
none
Patch none

Ryosuke Niwa
Reported 2021-01-05 22:23:16 PST
e.g. ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00011895889d bp 0x7ffee7433210 sp 0x7ffee7433210 T0) #0 0x11895889d in WTF::RetainPtr<CGImage*>::get() const+0x1d (WebCore.framework/Versions/A/WebCore:x86_64+0x1e489d) #1 0x11d6d0dc0 in WebCore::createBitmapImageAfterScalingIfNeeded(WTF::RefPtr<WebCore::NativeImage, WTF::RawPtrTraits<WebCore::NativeImage>, WTF::DefaultRefDerefTraits<WebCore::NativeImage> >&&, WebCore::IntSize const&, WebCore::IntSize const&, float, WebCore::PreserveResolution)+0x4a0 (WebCore.framework/Versions/A/WebCore:x86_64+0x4f5cdc0) #2 0x11d6d1182 in WebCore::ImageBufferCGBackend::sinkIntoImage(WebCore::PreserveResolution)+0x1c2 (WebCore.framework/Versions/A/WebCore:x86_64+0x4f5d182) #3 0x11d5972e0 in WebCore::ConcreteImageBuffer<WebCore::ImageBufferCGBitmapBackend>::sinkIntoImage(WebCore::PreserveResolution)+0xb0 (WebCore.framework/Versions/A/WebCore:x86_64+0x4e232e0) #4 0x11d5885c2 in WebCore::ImageBuffer::sinkIntoImage(WTF::RefPtr<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer>, WTF::DefaultRefDerefTraits<WebCore::ImageBuffer> >, WebCore::PreserveResolution)+0x52 (WebCore.framework/Versions/A/WebCore:x86_64+0x4e145c2) #5 0x11d54d633 in WebCore::GradientImage::drawPattern(WebCore::GraphicsContext&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::AffineTransform const&, WebCore::FloatPoint const&, WebCore::FloatSize const&, WebCore::ImagePaintingOptions const&)+0x603 (WebCore.framework/Versions/A/WebCore:x86_64+0x4dd9633) #6 0x11d584054 in WebCore::Image::drawTiled(WebCore::GraphicsContext&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::FloatSize const&, WebCore::Image::TileRule, WebCore::Image::TileRule, WebCore::ImagePaintingOptions const&)+0x814 (WebCore.framework/Versions/A/WebCore:x86_64+0x4e10054) #7 0x11d561307 in WebCore::GraphicsContext::drawTiledImage(WebCore::Image&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::FloatSize const&, WebCore::Image::TileRule, WebCore::Image::TileRule, WebCore::ImagePaintingOptions const&)+0x157 (WebCore.framework/Versions/A/WebCore:x86_64+0x4ded307) #8 0x11dfcf704 in WebCore::NinePieceImage::paint(WebCore::GraphicsContext&, WebCore::RenderElement*, WebCore::RenderStyle const&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, float, WebCore::CompositeOperator) const+0x814 (WebCore.framework/Versions/A/WebCore:x86_64+0x585b704) #9 0x11dc2770b in WebCore::RenderBoxModelObject::paintNinePieceImage(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::RenderStyle const&, WebCore::NinePieceImage const&, WebCore::CompositeOperator)+0x3db (WebCore.framework/Versions/A/WebCore:x86_64+0x54b370b) #10 0x11dc31def in WebCore::RenderBoxModelObject::paintBorder(WebCore::PaintInfo const&, WebCore::LayoutRect const&, WebCore::RenderStyle const&, WebCore::BackgroundBleedAvoidance, bool, bool)+0x39f (WebCore.framework/Versions/A/WebCore:x86_64+0x54bddef) #11 0x11dbb9b63 in WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&)+0x4f3 (WebCore.framework/Versions/A/WebCore:x86_64+0x5445b63) #12 0x11de23053 in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&)+0x543 (WebCore.framework/Versions/A/WebCore:x86_64+0x56af053) #13 0x11dd41a4a in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*)+0x49a (WebCore.framework/Versions/A/WebCore:x86_64+0x55cda4a) #14 0x11dd3d3f0 in WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*)+0x9f0 (WebCore.framework/Versions/A/WebCore:x86_64+0x55c93f0) #15 0x11dd356eb in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0xeab (WebCore.framework/Versions/A/WebCore:x86_64+0x55c16eb) #16 0x11dd346fe in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x23e (WebCore.framework/Versions/A/WebCore:x86_64+0x55c06fe) #17 0x11dd34360 in WebCore::RenderLayer::paintLayerByApplyingTransform(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::LayoutSize const&)+0x690 (WebCore.framework/Versions/A/WebCore:x86_64+0x55c0360) #18 0x11dd32752 in WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x782 (WebCore.framework/Versions/A/WebCore:x86_64+0x55be752) #19 0x11dd30e9f in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1ff (WebCore.framework/Versions/A/WebCore:x86_64+0x55bce9f) #20 0x11dd3c98b in WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x13b (WebCore.framework/Versions/A/WebCore:x86_64+0x55c898b) #21 0x11dd357d5 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0xf95 (WebCore.framework/Versions/A/WebCore:x86_64+0x55c17d5) #22 0x11dd346fe in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x23e (WebCore.framework/Versions/A/WebCore:x86_64+0x55c06fe) #23 0x11dd34360 in WebCore::RenderLayer::paintLayerByApplyingTransform(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::LayoutSize const&)+0x690 (WebCore.framework/Versions/A/WebCore:x86_64+0x55c0360) #24 0x11dd32752 in WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x782 (WebCore.framework/Versions/A/WebCore:x86_64+0x55be752) #25 0x11dd30e9f in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1ff (WebCore.framework/Versions/A/WebCore:x86_64+0x55bce9f) <rdar://problem/72036950>
Attachments
Test (470.01 KB, text/html)
2021-01-05 22:29 PST, Ryosuke Niwa 		no flags
Details
Reduced testcase (169 bytes, text/html)
2021-01-11 06:21 PST, Rob Buis 		no flags
Details
Patch (4.16 KB, patch)
2021-01-12 05:50 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2021-01-05 22:29:23 PST
Created attachment 417067 [details] Test
Rob Buis
Comment 2 2021-01-11 06:21:03 PST
Created attachment 417374 [details] Reduced testcase
Rob Buis
Comment 3 2021-01-12 05:50:42 PST
Created attachment 417450 [details] Patch
EWS
Comment 4 2021-01-13 10:41:02 PST
Committed r271441: <https://trac.webkit.org/changeset/271441> All reviewed patches have been landed. Closing bug and clearing flags on attachment 417450 [details].
Ryosuke Niwa
Comment 5 2021-01-13 13:00:12 PST
No security implication here.
Note You need to log in before you can comment on or make changes to this bug.