WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
275999
REGRESSION(
276827@main
): Prevent BitmapImageSource from accessing a null ImageDecoder
https://bugs.webkit.org/show_bug.cgi?id=275999
Summary
REGRESSION(276827@main): Prevent BitmapImageSource from accessing a null Imag...
Said Abou-Hallawa
Reported
2024-06-28 10:33:16 PDT
If BitmapImageSource returns EncodedDataStatus::Complete to CachedImage once and was able to get the size of this image, this owner BitmapImage will be marked a valid (not broken) image. It is supposed to always have a valid m_decoder pointer even if we call resetData() which deletes m_decoder because of memory pressure. resetData() will try to recreate the ImageDecoder from the Image encoded data. And it is supposed to be able to recreate it since it did create it before with the same encoded data. It seems this assumption is not always correct. And we may not be able to recreate the ImageDecoder because of memory limitations. Before
276827@main
we were able to handle this case safely. Below is the calling sequence we will go through to decode and draw an ImageFrame. In the old ImageSource::frameAtIndexCacheIfNeeded() if the decoder is null, we used to return null NativeImage without accessing the decoder: ImageDrawResult BitmapImage::draw(GraphicsContext& context, const FloatRect& destRect, const FloatRect& requestedSrcRect, ImagePaintingOptions options) { ... image = nativeImageAtIndexCacheIfNeeded(m_currentFrame, m_currentSubsamplingLevel, options.decodingMode()); ... } RefPtr<NativeImage> BitmapImage::nativeImageAtIndexCacheIfNeeded(size_t index, SubsamplingLevel subsamplingLevel, const DecodingOptions& decodingOptions) { ... return m_source->frameImageAtIndexCacheIfNeeded(index, subsamplingLevel, decodingOptions); } RefPtr<NativeImage> ImageSource::frameImageAtIndexCacheIfNeeded(size_t index, SubsamplingLevel subsamplingLevel, const DecodingOptions& decodingOptions) { return frameAtIndexCacheIfNeeded(index, ImageFrame::Caching::MetadataAndImage, subsamplingLevel, decodingOptions).nativeImage(); } const ImageFrame& ImageSource::frameAtIndexCacheIfNeeded(size_t index, ImageFrame::Caching caching, const std::optional<SubsamplingLevel>& subsamplingLevel, const DecodingOptions& decodingOptions) { ... ImageFrame& frame = m_frames[index]; if (!isDecoderAvailable() || frameIsBeingDecodedAndIsCompatibleWithOptionsAtIndex(index, DecodingOptions(DecodingMode::Asynchronous))) return frame; ... }
Attachments
Add attachment
proposed patch, testcase, etc.
Said Abou-Hallawa
Comment 1
2024-06-28 10:33:59 PDT
rdar://129791964
Radar WebKit Bug Importer
Comment 2
2024-06-28 10:34:11 PDT
<
rdar://problem/130764389
>
Said Abou-Hallawa
Comment 3
2024-06-28 10:35:15 PDT
rdar://129791964
Said Abou-Hallawa
Comment 4
2024-06-28 10:40:00 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/30275
EWS
Comment 5
2024-07-01 10:00:34 PDT
Committed
280540@main
(da23487493c6): <
https://commits.webkit.org/280540@main
> Reviewed commits have been landed. Closing PR #30275 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug