RESOLVED FIXED 220584
createImageBitmap() causes null pointer dereference using Cairo lib 
https://bugs.webkit.org/show_bug.cgi?id=220584
Summary createImageBitmap() causes null pointer dereference using Cairo lib
wz906234737
Reported 2021-01-13 03:21:45 PST
Created attachment 417519 [details] the script caused crash 1. Reproduce of crash: (1) open inspector window and run the script below in the console; (2) the script is: // ========================================== (function () { const _1 = 32769; const _0 = new ImageData(1, _1); const _3 = {resizeHeight: 1}; return createImageBitmap(_0, _3); })(); // ========================================== change `_1` less than 32768 will be safe. the critical point `32768` would cause crash on `debug` version, but OK on `release` version. 2. Analysis I found the crash was caused by a null pointer dereference in `Source/WebCore/html/ImageBitmap.cpp:823`. Because the `Cairo` library limit image width and height less than 32768, and will return nullptr if larger than the limit. The limit `cairoMaxImageSize` defined in `Source/WebCore/platform/graphics/ImageBackingStore.h:39` The function `create` defined in `Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp:44` part of the code that returns nullptr ``` // ========== Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp:50 ========== IntSize backendSize = calculateBackendSize(parameters.logicalSize, parameters.resolutionScale); if (backendSize.isEmpty() || backendSize.width() > cairoMaxImageSize || backendSize.height() > cairoMaxImageSize) return nullptr; ```
Attachments
the script caused crash (156 bytes, text/plain)
2021-01-13 03:21 PST, wz906234737 		no flags
Details
WIP patch (1.12 KB, patch)
2021-01-14 23:35 PST, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Patch (6.30 KB, patch)
2021-01-17 21:32 PST, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
wz906234737
Comment 1 2021-01-13 03:25:54 PST
The code that dereference nullptr ``` // ============== Source/WebCore/html/ImageBitmap.cpp:822 =============== auto tempBitmapData = createImageBuffer(scriptExecutionContext, imageData->size(), bufferRenderingMode); // `tempBitmapData` createImageBuffer(...) fail and return a nullptr ==== tempBitmapData->putImageData(AlphaPremultiplication::Unpremultiplied, *imageData, IntRect(0, 0, imageData->width(), imageData->height()), { }, alphaPremultiplication); // ======================================================================
Fujii Hironori
Comment 2 2021-01-14 23:35:56 PST
Created attachment 417678 [details] WIP patch
Fujii Hironori
Comment 3 2021-01-17 21:32:17 PST
Created attachment 417792 [details] Patch
Fujii Hironori
Comment 4 2021-01-18 12:13:17 PST
Comment on attachment 417792 [details] Patch Clearing flags on attachment: 417792 Committed r271583: <https://trac.webkit.org/changeset/271583>
Fujii Hironori
Comment 5 2021-01-18 12:13:21 PST
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 6 2021-01-18 12:14:15 PST
<rdar://problem/73327997>
Note You need to log in before you can comment on or make changes to this bug.