225574 – Add back protection of the pixel buffer in ImageBufferCGBackend::toCFData removed in r277237

Bug 225574 - Add back protection of the pixel buffer in ImageBufferCGBackend::toCFData removed in r277237

Summary: Add back protection of the pixel buffer in ImageBufferCGBackend::toCFData rem...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Sam Weinig

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-05-08 19:08 PDT by Sam Weinig
Modified:	2021-05-09 18:49 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
Patch (5.90 KB, patch) 2021-05-08 19:22 PDT, Sam Weinig	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam Weinig 2021-05-08 19:08:21 PDT

Add back protection of the pixel buffer in ImageBufferCGBackend::toCFData removed in r277237

Comment 1 Sam Weinig 2021-05-08 19:22:24 PDT

Created attachment 428108 [details]
Patch

Comment 2 Darin Adler 2021-05-08 20:58:47 PDT

Comment on attachment 428108 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=428108&action=review

> Source/WebCore/platform/graphics/cg/GraphicsContextGLCG.cpp:526
> +    size_t dataSize = rowBytes * imageSize.height();

Not new: This computation is peculiar because it’s done as a 32-bit integer and then the results are put into a size_t. If it’s too big for 32-bits, it will overflow.

> Source/WebCore/platform/graphics/cg/GraphicsContextGLCG.cpp:530
> +        reinterpret_cast<ImageData*>(context)->deref();

Since this is void*, we can and should use static_cast instead of reinterpret_cast.

> Source/WebCore/platform/graphics/cg/ImageBufferCGBackend.cpp:201
> +            reinterpret_cast<ImageData*>(context)->deref();

Ditto.

Comment 3 EWS 2021-05-09 18:48:17 PDT

Committed r277255 (237524@main): <https://commits.webkit.org/237524@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 428108 [details].

Comment 4 Radar WebKit Bug Importer 2021-05-09 18:49:13 PDT

<rdar://problem/77723692>

Comment 5 Sam Weinig 2021-05-09 18:49:54 PDT

(In reply to Darin Adler from comment #2)
> Comment on attachment 428108 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=428108&action=review
> 
> > Source/WebCore/platform/graphics/cg/GraphicsContextGLCG.cpp:526
> > +    size_t dataSize = rowBytes * imageSize.height();
> 
> Not new: This computation is peculiar because it’s done as a 32-bit integer
> and then the results are put into a size_t. If it’s too big for 32-bits, it
> will overflow.

I agree i's odd, but I don't believe it can overflow, since ImageData checks for that case in all its create functions and fails if it overflows. My guess about the size_t is that is what CGDataProviderCreateWithData takes and so someone was just matching types.

> 
> > Source/WebCore/platform/graphics/cg/GraphicsContextGLCG.cpp:530
> > +        reinterpret_cast<ImageData*>(context)->deref();
> 
> Since this is void*, we can and should use static_cast instead of
> reinterpret_cast.
> 
> > Source/WebCore/platform/graphics/cg/ImageBufferCGBackend.cpp:201
> > +            reinterpret_cast<ImageData*>(context)->deref();
> 
> Ditto.

Going to fix this in the next patch, where I touch this once again.