Bug 68753

Summary: [WinCairo] BitmapImage::drawFrameMatchingSourceSize causes access violation if BitmapImage::frameAtIndex() returns NULL
Product: WebKit Reporter: David Delaune <david.delaune>
Component: WebKit APIAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: aroben, bfulgham
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Unspecified   
Attachments:
Description Flags
Check for zero cairo_surface_t * pointer to avoid null pointer exception
aroben: review-
Avoid passing a null pointer to the Cairo library. simon.fraser: review+

David Delaune
Reported 2011-09-24 02:13:54 PDT
Hi, I encountered an access violation in one of my unit tests at BitmapImage::drawFrameMatchingSourceSize. Below is the call stack: > WebKit.dll!WebCore::BitmapImage::drawFrameMatchingSourceSize(WebCore::GraphicsContext * ctxt=0x0023edb0, const WebCore::FloatRect & dstRect={...}, const WebCore::IntSize & srcSize={...}, WebCore::ColorSpace styleColorSpace=ColorSpaceDeviceRGB, WebCore::CompositeOperator compositeOp=CompositeCopy) Line 100 + 0x10 bytes WebKit.dll!WebCore::BitmapImage::getHBITMAPOfSize(HBITMAP__ * bmp=0xee0510de, tagSIZE * size=0x0023ef74) Line 90 WebKit.dll!WebIconDatabase::iconForURL(wchar_t * url=0x77f34618, tagSIZE * size=0x0023ef74, int __formal=1, unsigned int * bitmap=0x0023ef84) Line 179 + 0xb bytes After an investigation it appears that in some circumstances frameAtIndex() can return a NULL NativeImagePtr pointer. The WinCairo branch calls cairo_image_surface_get_height and cairo_image_surface_get_width and these functions will throw an exception if passed a NULL pointer. I noticed that the ImageCGWin.cpp implementation is nearly identical and based the comments in the Bug 61684 patch I wonder if it should also be reviewed. Best Wishes, -David Delaune
Attachments
Check for zero cairo_surface_t * pointer to avoid null pointer exception (1.83 KB, patch)
2011-09-24 02:53 PDT, David Delaune 		aroben: review-
DetailsFormatted DiffDiff
Avoid passing a null pointer to the Cairo library. (1.65 KB, patch)
2012-01-12 10:06 PST, Brent Fulgham 		simon.fraser: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
David Delaune
Comment 1 2011-09-24 02:53:48 PDT
Created attachment 108581 [details] Check for zero cairo_surface_t * pointer to avoid null pointer exception
Adam Roben (:aroben)
Comment 2 2011-09-26 05:01:16 PDT
Comment on attachment 108581 [details] Check for zero cairo_surface_t * pointer to avoid null pointer exception View in context: https://bugs.webkit.org/attachment.cgi?id=108581&action=review Is it possible to add a regression test for this? Perhaps via TestWebKitAPI? > Source/WebCore/platform/graphics/win/ImageCairoWin.cpp:100 > for (size_t i = 0; i < frames; ++i) { > cairo_surface_t* image = frameAtIndex(i); > - if (cairo_image_surface_get_height(image) == static_cast<size_t>(srcSize.height()) && cairo_image_surface_get_width(image) == static_cast<size_t>(srcSize.width())) { > + if (image && cairo_image_surface_get_height(image) == static_cast<size_t>(srcSize.height()) && cairo_image_surface_get_width(image) == static_cast<size_t>(srcSize.width())) { I think this would be a little clearer using an early continue: cairo_surface_t* image = frameAtIndex(i); if (!image) continue;
Brent Fulgham
Comment 3 2011-10-01 22:12:17 PDT
Comment on attachment 108581 [details] Check for zero cairo_surface_t * pointer to avoid null pointer exception You mentioned you found this during unit test. Is this a test we could integrate into WebKit's own test infrastructure?
Brent Fulgham
Comment 4 2011-10-01 22:14:00 PDT
Nice catch! (In reply to comment #2) > (From update of attachment 108581 [details] > I think this would be a little clearer using an early continue: > > cairo_surface_t* image = frameAtIndex(i); > if (!image) > continue; I agree. Please make this change, and let me know about the test case. Thanks! -Brent
Brent Fulgham
Comment 5 2012-01-12 10:06:30 PST
Created attachment 122266 [details] Avoid passing a null pointer to the Cairo library. Since David never responded to my comments, I've revised the source change per Adam's comment. No test case provided since exercising this logic requires calling WebKit API calls that are not used in the existing test infrastructure.
Adam Roben (:aroben)
Comment 6 2012-01-12 12:22:36 PST
(In reply to comment #5) > Created an attachment (id=122266) [details] > Avoid passing a null pointer to the Cairo library. > > Since David never responded to my comments, I've revised the source change per Adam's comment. No test case provided since exercising this logic requires calling WebKit API calls that are not used in the existing test infrastructure. Brent, did you consider add a test to TestWebKitAPI for this?
David Delaune
Comment 7 2012-02-09 10:12:20 PST
Hi, I have not tried this... I am just guessing that the manual test located at: \WebKit\ManualTests\resources\favicon-loads-for-local-files.html could potentially be modified to demonstrate this bug on WinCairo. You could probably generate a corrupt icon by doing something like: head -c 1024 /dev/urandom > corrupt_favicon.ico Best Wishes, -David Delaune
Adam Roben (:aroben)
Comment 8 2012-02-20 12:14:59 PST
Comment on attachment 122266 [details] Avoid passing a null pointer to the Cairo library. Discussion in this bug makes it sound like it should be possible to write an automated test. So let's wait until we have one.
David Delaune
Comment 9 2012-05-15 13:23:20 PDT
What automated test is Apple using to test for Bug 61684?
Simon Fraser (smfr)
Comment 10 2012-05-15 13:34:22 PDT
Comment on attachment 122266 [details] Avoid passing a null pointer to the Cairo library. It would be nice to have a test for this if you can make one (with a corrupted image file or something). I don't think it's necessary though.
Brent Fulgham
Comment 11 2012-11-24 15:05:48 PST
Committed r135659: <http://trac.webkit.org/changeset/135659>
Note You need to log in before you can comment on or make changes to this bug.