158761 – decompose4 return value is unchecked, leading to potentially uninitialized data.

Bug 158761 - decompose4 return value is unchecked, leading to potentially uninitialized data.

Summary: decompose4 return value is unchecked, leading to potentially uninitialized data.

Status:	REOPENED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Dean Jackson

URL:
Keywords:

Depends on:	158896
Blocks:
	Show dependency tree / graph

Reported:	2016-06-14 15:09 PDT by Dean Jackson
Modified:	2016-06-17 20:30 PDT (History)
CC List:	1 user (show)

See Also:	158816

Attachments
Patch (6.91 KB, patch) 2016-06-14 15:16 PDT, Dean Jackson	no flags	Details \| Formatted Diff \| Diff
Patch (7.99 KB, patch) 2016-06-14 15:39 PDT, Dean Jackson	simon.fraser: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dean Jackson 2016-06-14 15:09:05 PDT

decompose4 return value is unchecked, leading to potentially uninitialized data.

Comment 1 Dean Jackson 2016-06-14 15:13:12 PDT

<rdar://problem/17526268>

WebCore::decompose4 returns early (false) without initializing its result argument. Various clients of this method accept the return value without checking the result, using uninitialized memory to perform blending and other calculations.

Comment 2 Dean Jackson 2016-06-14 15:16:36 PDT

Created attachment 281289 [details]
Patch

Comment 3 Simon Fraser (smfr) 2016-06-14 15:27:22 PDT

Comment on attachment 281289 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=281289&action=review

> Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp:366
> +    memset(&result, 0, sizeof(result));
> +    result.perspectiveW = 1;
> +    result.scaleX = 1;
> +    result.scaleY = 1;
> +    result.scaleZ = 1;

Should we just give Decomposed4Type some initializers?

Comment 4 Dean Jackson 2016-06-14 15:39:32 PDT

Created attachment 281291 [details]
Patch

Comment 5 Dean Jackson 2016-06-14 15:46:07 PDT

Committed r202068: <http://trac.webkit.org/changeset/202068>

Comment 6 Alexey Proskuryakov 2016-06-17 20:25:40 PDT

The test still times out a lot, can't keep tests so unstable. Will roll out.

Comment 7 WebKit Commit Bot 2016-06-17 20:27:38 PDT

Re-opened since this is blocked by bug 158896

Comment 8 Alexey Proskuryakov 2016-06-17 20:30:24 PDT

Rolled out in <https://trac.webkit.org/r202195>.