Changeset 205197 in webkit


Ignore:
Timestamp:
Aug 30, 2016 12:54:37 PM (8 years ago)
Author:
Brent Fulgham
Message:

Use of uninitialised memory in TransformationMatrx::blend4()
https://bugs.webkit.org/show_bug.cgi?id=134621
<rdar://problem/27337539>

Reviewed by Dean Jackson.

Change is based on the Blink change (patch by <alancutter@chromium.org>):
<https://src.chromium.org/viewvc/blink?revision=177453&view=revision>

Source/WebCore:

TransformationMatrix::blend() was attempting to blend between non-invertable
matricies. This resulted in garbage stack variables being used.
This patch ensures that blend() will fall back to a 50% step interpolation
when one of the sides are not invertable.

Tested by new TransformationMatrix test in TestWebKitAPI.

  • platform/graphics/transforms/TransformationMatrix.cpp:

(WebCore::TransformationMatrix::blend2): Properly handle failure in the
decompose method calls.
(WebCore::TransformationMatrix::blend4): Ditto.

Tools:

  • TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
  • TestWebKitAPI/Tests/WebCore/TransformationMatrix.cpp: Added.

(TestWebKitAPI::TEST):

Location:
trunk
Files:
1 added
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r205194 r205197  
     12016-08-30  Brent Fulgham  <bfulgham@apple.com>
     2
     3        Use of uninitialised memory in TransformationMatrx::blend4()
     4        https://bugs.webkit.org/show_bug.cgi?id=134621
     5        <rdar://problem/27337539>
     6
     7        Reviewed by Dean Jackson.
     8
     9        Change is based on the Blink change (patch by <alancutter@chromium.org>):
     10        <https://src.chromium.org/viewvc/blink?revision=177453&view=revision>
     11
     12        TransformationMatrix::blend() was attempting to blend between non-invertable
     13        matricies. This resulted in garbage stack variables being used.
     14        This patch ensures that blend() will fall back to a 50% step interpolation
     15        when one of the sides are not invertable.
     16
     17        Tested by new TransformationMatrix test in TestWebKitAPI.
     18
     19        * platform/graphics/transforms/TransformationMatrix.cpp:
     20        (WebCore::TransformationMatrix::blend2): Properly handle failure in the
     21        decompose method calls.
     22        (WebCore::TransformationMatrix::blend4): Ditto.
     23
    1242016-08-30  Alex Christensen  <achristensen@webkit.org>
    225

  • trunk/Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp

    r202195 r205197  
    15021502    Decomposed2Type fromDecomp;
    15031503    Decomposed2Type toDecomp;
    1504     from.decompose2(fromDecomp);
    1505     decompose2(toDecomp);
     1504    if (!from.decompose2(fromDecomp) || !decompose2(toDecomp)) {
     1505        if (progress < 0.5)
     1506            *this = from;
     1507        return;
     1508    }
    15061509
    15071510    // If x-axis of one is flipped, and y-axis of the other, convert to an unflipped rotation.
     
    15421545    Decomposed4Type fromDecomp;
    15431546    Decomposed4Type toDecomp;
    1544     from.decompose4(fromDecomp);
    1545     decompose4(toDecomp);
     1547    if (!from.decompose4(fromDecomp) || !decompose4(toDecomp)) {
     1548        if (progress < 0.5)
     1549            *this = from;
     1550        return;
     1551    }
    15461552
    15471553    blendFloat(fromDecomp.scaleX, toDecomp.scaleX, progress);

  • trunk/Source/WebCore/platform/graphics/transforms/TransformationMatrix.h

    r202195 r205197  
    295295    void recompose4(const Decomposed4Type&);
    296296
    297     void blend(const TransformationMatrix& from, double progress);
     297    WEBCORE_EXPORT void blend(const TransformationMatrix& from, double progress);
    298298    void blend2(const TransformationMatrix& from, double progress);
    299299    void blend4(const TransformationMatrix& from, double progress);

  • trunk/Tools/ChangeLog

    r205194 r205197  
     12016-08-30  Brent Fulgham  <bfulgham@apple.com>
     2
     3        Use of uninitialised memory in TransformationMatrx::blend4()
     4        https://bugs.webkit.org/show_bug.cgi?id=134621
     5        <rdar://problem/27337539>
     6
     7        Reviewed by Dean Jackson.
     8
     9        Change is based on the Blink change (patch by <alancutter@chromium.org>):
     10        <https://src.chromium.org/viewvc/blink?revision=177453&view=revision>
     11
     12        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
     13        * TestWebKitAPI/Tests/WebCore/TransformationMatrix.cpp: Added.
     14        (TestWebKitAPI::TEST):
     15
    1162016-08-30  Alex Christensen  <achristensen@webkit.org>
    217

  • trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

    r204916 r205197  
    139139                76E182DF154767E600F1FADD /* auto-submitting-form.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 76E182DE15475A8300F1FADD /* auto-submitting-form.html */; };
    140140                7A1458FC1AD5C07000E06772 /* mouse-button-listener.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 7A1458FB1AD5C03500E06772 /* mouse-button-listener.html */; };
     141                7AD3FE8E1D76131200B169A4 /* TransformationMatrix.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 7AD3FE8D1D75FB8D00B169A4 /* TransformationMatrix.cpp */; };
    141142                7AE9E5091AE5AE8B00CF874B /* test.pdf in Copy Resources */ = {isa = PBXBuildFile; fileRef = 7AE9E5081AE5AE8B00CF874B /* test.pdf */; };
    142143                7C3965061CDD74F90094DBB8 /* Color.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 7C3965051CDD74F90094DBB8 /* Color.cpp */; };
     
    869870                7AA021BA1AB09EA70052953F /* DateMath.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DateMath.cpp; sourceTree = "<group>"; };
    870871                7AA6A1511AAC0B31002B2ED3 /* WorkQueue.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WorkQueue.cpp; sourceTree = "<group>"; };
     872                7AD3FE8D1D75FB8D00B169A4 /* TransformationMatrix.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TransformationMatrix.cpp; sourceTree = "<group>"; };
    871873                7AE9E5081AE5AE8B00CF874B /* test.pdf */ = {isa = PBXFileReference; lastKnownFileType = image.pdf; path = test.pdf; sourceTree = "<group>"; };
    872874                7C3965051CDD74F90094DBB8 /* Color.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Color.cpp; sourceTree = "<group>"; };
     
    13431345                                41973B5C1AF22875006C7B36 /* SharedBuffer.cpp */,
    13441346                                CDC2C7141797089D00E627FB /* TimeRanges.cpp */,
     1347                                7AD3FE8D1D75FB8D00B169A4 /* TransformationMatrix.cpp */,
    13451348                                440A1D3814A0103A008A66F2 /* URL.cpp */,
    13461349                                5C6E65411D5CEF8500F7862E /* URLParser.cpp */,
     
    23892392                        files = (
    23902393                                2E7765CD16C4D80A00BA2BB1 /* mainIOS.mm in Sources */,
     2394                                7AD3FE8E1D76131200B169A4 /* TransformationMatrix.cpp in Sources */,
    23912395                                2E7765CF16C4D81100BA2BB1 /* mainMac.mm in Sources */,
    23922396                        );
Note: See TracChangeset for help on using the changeset viewer.