RESOLVED FIXED Bug 196340
[Cairo] out-of-bounds read in ShareableBitmap::paint if a fractional device scale factor is used 
https://bugs.webkit.org/show_bug.cgi?id=196340
Summary [Cairo] out-of-bounds read in ShareableBitmap::paint if a fractional device s...
Fujii Hironori
Reported 2019-03-27 22:19:45 PDT
[Cairo] Segmentation fault in Cairo::drawPatternToCairoContext with 1.5x device scale factor high DPI display I'm working on WinCairo WK2 High DPI support in Bug 196339. It's easy to cause segmentation faults in Cairo::drawPatternToCairoContext. I'm using 1.5x device scale factor high DPI. It's no problem if I tweaks deviceScaleFactor to 2x. > cairo.dll!_pixman_implementation_create_sse2() C > cairo.dll!_pixman_gradient_walker_pixel() C > cairo.dll!pixman_image_composite32() C > cairo.dll!_inplace_src_spans(void * abstract_renderer, int y, int h, const _cairo_half_open_span * spans, unsigned int num_spans) Line 2716 C > cairo.dll!generate_row(_cairo_span_renderer * renderer, const _rectangle * r, int y, int h, unsigned short coverage) Line 626 C > cairo.dll!_cairo_rectangular_scan_converter_generate(void * converter, _cairo_span_renderer * renderer) Line 673 C > cairo.dll!composite_boxes(const cairo_spans_compositor * compositor, _cairo_composite_rectangles * extents, _cairo_boxes_t * boxes) Line 741 C > cairo.dll!clip_and_composite_boxes(const cairo_spans_compositor * compositor, _cairo_composite_rectangles * extents, _cairo_boxes_t * boxes) Line 888 C > cairo.dll!_cairo_spans_compositor_mask(const cairo_compositor * _compositor, _cairo_composite_rectangles * extents) Line 1000 C > cairo.dll!_cairo_compositor_paint(const cairo_compositor * compositor, _cairo_surface * surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 67 C > cairo.dll!_cairo_image_surface_paint(void * abstract_surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 931 C > cairo.dll!_cairo_surface_paint(_cairo_surface * surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 2199 C > cairo.dll!_cairo_gstate_paint(_cairo_gstate * gstate) Line 1061 C > cairo.dll!_cairo_default_context_paint_with_alpha(void * abstract_cr, double alpha) Line 971 C > cairo.dll!cairo_paint_with_alpha(_cairo * cr, double alpha) Line 2248 C > WebKit2.dll!WebCore::Cairo::drawPatternToCairoContext(_cairo * cr, _cairo_pattern * pattern, const WebCore::FloatRect & destRect, float alpha) Line 156 C++ > WebKit2.dll!WebCore::Cairo::drawSurface(WebCore::PlatformContextCairo & platformContext, _cairo_surface * surface, const WebCore::FloatRect & destRect, const WebCore::FloatRect & originalSrcRect, WebCore::InterpolationQuality imageInterpolationQuality, float globalAlpha, const WebCore::Cairo::ShadowState & shadowState) Line 944 C++ > WebKit2.dll!WebKit::ShareableBitmap::paint(WebCore::GraphicsContext & context, float scaleFactor, const WebCore::IntPoint & dstPoint, const WebCore::IntRect & srcRect) Line 80 C++ > WebKit2.dll!WebKit::BackingStore::incorporateUpdate(WebKit::ShareableBitmap * bitmap, const WebKit::UpdateInfo & updateInfo) Line 93 C++ > WebKit2.dll!WebKit::BackingStore::incorporateUpdate(const WebKit::UpdateInfo & updateInfo) Line 62 C++ > WebKit2.dll!WebKit::DrawingAreaProxyCoordinatedGraphics::incorporateUpdate(const WebKit::UpdateInfo & updateInfo) Line 255 C++ > WebKit2.dll!WebKit::DrawingAreaProxyCoordinatedGraphics::update(unsigned __int64 backingStoreStateID, const WebKit::UpdateInfo & updateInfo) Line 157 C++ > WebKit2.dll!IPC::callMemberFunctionImpl<WebKit::DrawingAreaProxy,void (WebKit::DrawingAreaProxy::*)(unsigned long long, const WebKit::UpdateInfo &),std::tuple<unsigned long long,WebKit::UpdateInfo>,0,1>(WebKit::DrawingAreaProxy * object, void(WebKit::DrawingAreaProxy::*)(unsigned __int64, const WebKit::UpdateInfo &) function, std::tuple<unsigned long long,WebKit::UpdateInfo> && args, std::integer_sequence<unsigned long long,0,1>) Line 42 C++ > WebKit2.dll!IPC::callMemberFunction<WebKit::DrawingAreaProxy,void (WebKit::DrawingAreaProxy::*)(unsigned long long, const WebKit::UpdateInfo &),std::tuple<unsigned long long,WebKit::UpdateInfo>,std::integer_sequence<unsigned long long,0,1> >(std::tuple<unsigned long long,WebKit::UpdateInfo> && args, WebKit::DrawingAreaProxy * object, void(WebKit::DrawingAreaProxy::*)(unsigned __int64, const WebKit::UpdateInfo &) function) Line 47 C++ > WebKit2.dll!IPC::handleMessage<Messages::DrawingAreaProxy::Update,WebKit::DrawingAreaProxy,void (WebKit::DrawingAreaProxy::*)(unsigned long long, const WebKit::UpdateInfo &)>(IPC::Decoder & decoder, WebKit::DrawingAreaProxy * object, void(WebKit::DrawingAreaProxy::*)(unsigned __int64, const WebKit::UpdateInfo &) function) Line 121 C++ > WebKit2.dll!WebKit::DrawingAreaProxy::didReceiveMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 50 C++ > WebKit2.dll!IPC::MessageReceiverMap::dispatchMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 124 C++ > WebKit2.dll!WebKit::AuxiliaryProcessProxy::dispatchMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 155 C++ > WebKit2.dll!WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 619 C++ > WebKit2.dll!IPC::Connection::dispatchMessage(IPC::Decoder & decoder) Line 984 C++ > WebKit2.dll!IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder,std::default_delete<IPC::Decoder> > message) Line 1012 C++ > WebKit2.dll!IPC::Connection::dispatchIncomingMessages() Line 1116 C++ > WebKit2.dll!IPC::Connection::enqueueIncomingMessage::<unnamed-tag>::operator()() Line 959 C++ > WebKit2.dll!WTF::Function<void ()>::CallableWrapper<`lambda at ..\..\Source\WebKit\Platform\IPC\Connection.cpp:957:30'>::call() Line 102 C++ > WTF.dll!WTF::Function<void ()>::operator()() Line 57 C++ > WTF.dll!WTF::RunLoop::performWork() Line 107 C++ > WTF.dll!WTF::RunLoop::wndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 57 C++ > WTF.dll!WTF::RunLoop::RunLoopWndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 39 C++ > [External Code] > WebKit.dll!WebKitMessageLoop::run(HACCEL__ * hAccelTable) Line 94 C++ > MiniBrowserLib.dll!wWinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpstrCmdLine, int nCmdShow) Line 97 C++ > MiniBrowserLib.dll!dllLauncherEntryPoint(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpstrCmdLine, int nCmdShow) Line 115 C++ > MiniBrowser.exe!wWinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpstrCmdLine, int nCmdShow) Line 232 C++ > [External Code]
Attachments
WIP patch (1.23 KB, patch)
2019-03-27 23:19 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Patch (2.27 KB, patch)
2019-09-01 21:23 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2019-03-27 23:19:32 PDT
Created attachment 366154 [details] WIP patch
Fujii Hironori
Comment 2 2019-09-01 21:23:25 PDT
Created attachment 377837 [details] Patch
Brent Fulgham
Comment 3 2019-09-01 22:43:38 PDT
Comment on attachment 377837 [details] Patch This looks correct to me, and seems to satisfy the CI system.
Fujii Hironori
Comment 4 2019-09-01 23:03:37 PDT
Comment on attachment 377837 [details] Patch Clearing flags on attachment: 377837 Committed r249375: <https://trac.webkit.org/changeset/249375>
Fujii Hironori
Comment 5 2019-09-01 23:03:40 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.