Bug 225574

Summary:

Add back protection of the pixel buffer in ImageBufferCGBackend::toCFData removed in r277237

Product:

WebKit

Reporter:

Sam Weinig <sam>

Component:

New Bugs

Assignee:

Sam Weinig <sam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

darin, dino, ews-watchlist, graouts, kondapallykalyan, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Description Sam Weinig 2021-05-08 19:08:21 PDT

Add back protection of the pixel buffer in ImageBufferCGBackend::toCFData removed in r277237

Comment 1 Sam Weinig 2021-05-08 19:22:24 PDT

Created attachment 428108 [details]
Patch

Comment 2 Darin Adler 2021-05-08 20:58:47 PDT

Comment on attachment 428108 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=428108&action=review

> Source/WebCore/platform/graphics/cg/GraphicsContextGLCG.cpp:526
> +    size_t dataSize = rowBytes * imageSize.height();

Not new: This computation is peculiar because it’s done as a 32-bit integer and then the results are put into a size_t. If it’s too big for 32-bits, it will overflow.

> Source/WebCore/platform/graphics/cg/GraphicsContextGLCG.cpp:530
> +        reinterpret_cast<ImageData*>(context)->deref();

Since this is void*, we can and should use static_cast instead of reinterpret_cast.

> Source/WebCore/platform/graphics/cg/ImageBufferCGBackend.cpp:201
> +            reinterpret_cast<ImageData*>(context)->deref();

Ditto.

Comment 3 EWS 2021-05-09 18:48:17 PDT

Committed r277255 (237524@main): <https://commits.webkit.org/237524@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 428108 [details].

Comment 4 Radar WebKit Bug Importer 2021-05-09 18:49:13 PDT

<rdar://problem/77723692>

Comment 5 Sam Weinig 2021-05-09 18:49:54 PDT

(In reply to Darin Adler from comment #2)
> Comment on attachment 428108 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=428108&action=review
> 
> > Source/WebCore/platform/graphics/cg/GraphicsContextGLCG.cpp:526
> > +    size_t dataSize = rowBytes * imageSize.height();
> 
> Not new: This computation is peculiar because it’s done as a 32-bit integer
> and then the results are put into a size_t. If it’s too big for 32-bits, it
> will overflow.

I agree i's odd, but I don't believe it can overflow, since ImageData checks for that case in all its create functions and fails if it overflows. My guess about the size_t is that is what CGDataProviderCreateWithData takes and so someone was just matching types.

> 
> > Source/WebCore/platform/graphics/cg/GraphicsContextGLCG.cpp:530
> > +        reinterpret_cast<ImageData*>(context)->deref();
> 
> Since this is void*, we can and should use static_cast instead of
> reinterpret_cast.
> 
> > Source/WebCore/platform/graphics/cg/ImageBufferCGBackend.cpp:201
> > +            reinterpret_cast<ImageData*>(context)->deref();
> 
> Ditto.

Going to fix this in the next patch, where I touch this once again.