REOPENED 158761
decompose4 return value is unchecked, leading to potentially uninitialized data. 
https://bugs.webkit.org/show_bug.cgi?id=158761
Summary decompose4 return value is unchecked, leading to potentially uninitialized data.
Dean Jackson
Reported 2016-06-14 15:09:05 PDT
decompose4 return value is unchecked, leading to potentially uninitialized data.
Attachments
Patch (6.91 KB, patch)
2016-06-14 15:16 PDT, Dean Jackson 		no flags
DetailsFormatted DiffDiff
Patch (7.99 KB, patch)
2016-06-14 15:39 PDT, Dean Jackson 		simon.fraser: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Dean Jackson
Comment 1 2016-06-14 15:13:12 PDT
<rdar://problem/17526268> WebCore::decompose4 returns early (false) without initializing its result argument. Various clients of this method accept the return value without checking the result, using uninitialized memory to perform blending and other calculations.
Dean Jackson
Comment 2 2016-06-14 15:16:36 PDT
Created attachment 281289 [details] Patch
Simon Fraser (smfr)
Comment 3 2016-06-14 15:27:22 PDT
Comment on attachment 281289 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=281289&action=review > Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp:366 > + memset(&result, 0, sizeof(result)); > + result.perspectiveW = 1; > + result.scaleX = 1; > + result.scaleY = 1; > + result.scaleZ = 1; Should we just give Decomposed4Type some initializers?
Dean Jackson
Comment 4 2016-06-14 15:39:32 PDT
Created attachment 281291 [details] Patch
Dean Jackson
Comment 5 2016-06-14 15:46:07 PDT
Committed r202068: <http://trac.webkit.org/changeset/202068>
Alexey Proskuryakov
Comment 6 2016-06-17 20:25:40 PDT
The test still times out a lot, can't keep tests so unstable. Will roll out.
WebKit Commit Bot
Comment 7 2016-06-17 20:27:38 PDT
Re-opened since this is blocked by bug 158896
Alexey Proskuryakov
Comment 8 2016-06-17 20:30:24 PDT
Rolled out in <https://trac.webkit.org/r202195>.
Note You need to log in before you can comment on or make changes to this bug.