Bug 217668 - Null dereference in PDFPlugin::snapshot()
Summary: Null dereference in PDFPlugin::snapshot()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: PDF (show other bugs)
Version: WebKit Nightly Build
Hardware: Mac Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-10-13 14:15 PDT by Julian Gonzalez
Modified: 2020-10-13 16:28 PDT (History)
2 users (show)

See Also:


Attachments
Crash log (7.40 KB, text/plain)
2020-10-13 14:15 PDT, Julian Gonzalez
no flags Details
Patch (3.43 KB, patch)
2020-10-13 14:25 PDT, Julian Gonzalez
no flags Details | Formatted Diff | Diff
Patch (3.46 KB, patch)
2020-10-13 14:34 PDT, Julian Gonzalez
no flags Details | Formatted Diff | Diff
Crash log (5.83 KB, text/plain)
2020-10-13 14:41 PDT, Julian Gonzalez
no flags Details
Crash log (2.54 KB, text/plain)
2020-10-13 14:42 PDT, Julian Gonzalez
no flags Details
Patch (3.54 KB, patch)
2020-10-13 15:18 PDT, Julian Gonzalez
no flags Details | Formatted Diff | Diff
Patch (3.51 KB, patch)
2020-10-13 15:38 PDT, Julian Gonzalez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Julian Gonzalez 2020-10-13 14:15:52 PDT
Created attachment 411254 [details]
Crash log

In PDFPlugin::snapshot(), it's possible to dereference nullptr:

RefPtr<ShareableBitmap> PDFPlugin::snapshot()
{
...
    auto bitmap = ShareableBitmap::createShareable(backingStoreSize, { });
    auto context = bitmap->createGraphicsContext();
    if (!context)
        return nullptr;
...
}

bitmap here can be nullptr, so it must be checked before use.
Attaching a crash log.
Comment 1 Julian Gonzalez 2020-10-13 14:25:57 PDT
Created attachment 411256 [details]
Patch
Comment 2 Julian Gonzalez 2020-10-13 14:30:36 PDT
<rdar://problem/70173839>
Comment 3 Julian Gonzalez 2020-10-13 14:34:22 PDT
Created attachment 411257 [details]
Patch
Comment 4 Julian Gonzalez 2020-10-13 14:41:53 PDT
Created attachment 411259 [details]
Crash log
Comment 5 Julian Gonzalez 2020-10-13 14:42:24 PDT
Created attachment 411260 [details]
Crash log
Comment 6 Julian Gonzalez 2020-10-13 15:18:46 PDT
Created attachment 411267 [details]
Patch
Comment 7 Ryosuke Niwa 2020-10-13 15:23:44 PDT
Comment on attachment 411267 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=411267&action=review

> LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:4
> +/*begincss*/

This comment is useless. Please remove it.

> LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:5
> +:not(glyphRef) { zoom: 61; }

Do we really need it?
If we do, I presume we only need it on body or embed so I'd suggest either one of:
embed { zoom: 61; }
body { zoom: 61; }
embed, body { zoom: 61; }

> LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:6
> +/*endcss*/

Ditto.
Comment 8 Ryosuke Niwa 2020-10-13 15:24:06 PDT
Comment on attachment 411267 [details]
Patch

cq- because I'd like to see the test case being improved.
Comment 9 Julian Gonzalez 2020-10-13 15:25:21 PDT
(In reply to Ryosuke Niwa from comment #7)
> Comment on attachment 411267 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=411267&action=review
> 
> > LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:4
> > +/*begincss*/
> 
> This comment is useless. Please remove it.
> 

Will do.

> > LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:5
> > +:not(glyphRef) { zoom: 61; }
> 
> Do we really need it?
> If we do, I presume we only need it on body or embed so I'd suggest either
> one of:
> embed { zoom: 61; }
> body { zoom: 61; }
> embed, body { zoom: 61; }
> 

We do, unfortunately. I'll try the suggestions.

> > LayoutTests/plugins/pdf-plugin-null-onloaddeddata.html:6
> > +/*endcss*/
> 
> Ditto.

Ditto the ditto.
Comment 10 Julian Gonzalez 2020-10-13 15:38:32 PDT
Created attachment 411271 [details]
Patch
Comment 11 EWS 2020-10-13 16:28:05 PDT
Committed r268432: <https://trac.webkit.org/changeset/268432>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 411271 [details].