Changeset 202887 in webkit

Timestamp:

Jul 6, 2016 6:02:57 PM (8 years ago)

Author:

Brent Fulgham

Message:

Return values of JSArray::createUninitialized (and related) are not consistently checked for nullptr
​https://bugs.webkit.org/show_bug.cgi?id=159495
<rdar://problem/26075433>

Reviewed by Dean Jackson.

Source/WebCore:

Test: fast/canvas/canvas-getImageData-invalid-result-buffer-crash.html

• html/ImageData.cpp:

(WebCore::ImageData::ImageData): Assert at construction if we could not create a valid
buffer.

• platform/SharedBuffer.cpp:

(WebCore::SharedBuffer::createArrayBuffer): Check for a null buffer before using it.

• platform/graphics/cg/ImageBufferDataCG.cpp:

(WebCore::ImageBufferData::getData): Ditto.

• platform/graphics/filters/FEGaussianBlur.cpp:

(WebCore::FEGaussianBlur::platformApplySoftware): Ditto.

• platform/graphics/filters/FilterEffect.cpp:

(WebCore::FilterEffect::copyImageBytes): Ditto.
(WebCore::FilterEffect::copyUnmultipliedImage): Ditto.
(WebCore::FilterEffect::copyPremultipliedImage): Ditto.

LayoutTests:

• fast/canvas/canvas-getImageData-invalid-result-buffer-crash.html: Added.
• fast/canvas/canvas-getImageData-invalid-result-buffer-crash-expected.txt: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/canvas/canvas-getImageData-invalid-result-buffer-crash-expected.txt (added)
• LayoutTests/fast/canvas/canvas-getImageData-invalid-result-buffer-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/html/ImageData.cpp (modified) (2 diffs)
• Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp (modified) (1 diff)
• Source/WebCore/platform/SharedBuffer.cpp (modified) (2 diffs)
• Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp (modified) (2 diffs)
• Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp (modified) (2 diffs)
• Source/WebCore/platform/graphics/filters/FilterEffect.cpp (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-07-06  Brent Fulgham  <bfulgham@apple.com>
+
+        Return values of JSArray::createUninitialized (and related) are not consistently checked for nullptr
+        https://bugs.webkit.org/show_bug.cgi?id=159495
+        <rdar://problem/26075433>
+
+        Reviewed by Dean Jackson.
+
+        * fast/canvas/canvas-getImageData-invalid-result-buffer-crash.html: Added.
+        * fast/canvas/canvas-getImageData-invalid-result-buffer-crash-expected.txt: Added.
+
 2016-07-06  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-07-06  Brent Fulgham  <bfulgham@apple.com>
+
+        Return values of JSArray::createUninitialized (and related) are not consistently checked for nullptr
+        https://bugs.webkit.org/show_bug.cgi?id=159495
+        <rdar://problem/26075433>
+
+        Reviewed by Dean Jackson.
+
+        Test: fast/canvas/canvas-getImageData-invalid-result-buffer-crash.html
+
+        * html/ImageData.cpp:
+        (WebCore::ImageData::ImageData): Assert at construction if we could not create a valid
+        buffer.
+        * platform/SharedBuffer.cpp:
+        (WebCore::SharedBuffer::createArrayBuffer): Check for a null buffer before using it.
+        * platform/graphics/cg/ImageBufferDataCG.cpp:
+        (WebCore::ImageBufferData::getData): Ditto.
+        * platform/graphics/filters/FEGaussianBlur.cpp:
+        (WebCore::FEGaussianBlur::platformApplySoftware): Ditto.
+        * platform/graphics/filters/FilterEffect.cpp:
+        (WebCore::FilterEffect::copyImageBytes): Ditto.
+        (WebCore::FilterEffect::copyUnmultipliedImage): Ditto.
+        (WebCore::FilterEffect::copyPremultipliedImage): Ditto.
+
 2016-07-06  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/html/ImageData.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2016 Apple Inc. All rights reserved.
  * Copyright (C) 2014 Adobe Systems Incorporated. All rights reserved.
  *
@@ -116 +116 @@
     , m_data(Uint8ClampedArray::createUninitialized(size.width() * size.height() * 4))
 {
+    ASSERT_WITH_SECURITY_IMPLICATION(m_data);
 }
 

trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp

@@ -2032 +2032 @@
 
     RefPtr<Uint8ClampedArray> byteArray = buffer->getUnmultipliedImageData(imageDataRect, coordinateSystem);
-    if (!byteArray)
+    if (!byteArray) {
+        StringBuilder consoleMessage;
+        consoleMessage.appendLiteral("Unable to get image data from canvas. Requested size was ");
+        consoleMessage.appendNumber(imageDataRect.width());
+        consoleMessage.appendLiteral(" x ");
+        consoleMessage.appendNumber(imageDataRect.height());
+
+        canvas()->document().addConsoleMessage(MessageSource::Rendering, MessageLevel::Error, consoleMessage.toString());
+        ec = INVALID_STATE_ERR;
         return nullptr;
+    }
 
     return ImageData::create(imageDataRect.size(), byteArray.releaseNonNull());

trunk/Source/WebCore/platform/SharedBuffer.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2006, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2016 Apple Inc. All rights reserved.
  * Copyright (C) Research In Motion Limited 2009-2010. All rights reserved.
  * Copyright (C) 2015 Canon Inc. All rights reserved.
@@ -145 +145 @@
 {
     RefPtr<ArrayBuffer> arrayBuffer = ArrayBuffer::createUninitialized(static_cast<unsigned>(size()), sizeof(char));
+    if (!arrayBuffer) {
+        WTFLogAlways("SharedBuffer::createArrayBuffer Unable to create buffer. Requested size was %d x %lu\n", size(), sizeof(char));
+        return nullptr;
+    }
 
     const char* segment = 0;

trunk/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -98 +98 @@
 
     auto result = Uint8ClampedArray::createUninitialized(area.unsafeGet());
-    unsigned char* resultData = result->data();
-    if (!resultData) {
-        WTFLogAlways("ImageBufferData: Unable to create buffer. Requested size was %d x %d = %u\n", rect.width(), rect.height(), area.unsafeGet());
+    unsigned char* resultData = result ? result->data() : nullptr;
+    if (!resultData)
         return nullptr;
-    }
 
     Checked<int> endx = rect.maxX();

trunk/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp

@@ -6 +6 @@
  * Copyright (C) 2010 Igalia, S.L.
  * Copyright (C) Research In Motion Limited 2010. All rights reserved.
- * Copyright (C) 2015 Apple, Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple, Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -541 +541 @@
     paintSize.scale(filter().filterScale());
     RefPtr<Uint8ClampedArray> tmpImageData = Uint8ClampedArray::createUninitialized(paintSize.width() * paintSize.height() * 4);
-    Uint8ClampedArray* tmpPixelArray = tmpImageData.get();
-
-    platformApply(srcPixelArray, tmpPixelArray, kernelSize.width(), kernelSize.height(), paintSize);
+    if (!tmpImageData) {
+        WTFLogAlways("FEGaussianBlur::platformApplySoftware Unable to create buffer. Requested size was %d x %d\n", paintSize.width(), paintSize.height());
+        return;
+    }
+
+    platformApply(srcPixelArray, tmpImageData.get(), kernelSize.width(), kernelSize.height(), paintSize);
 }
 

trunk/Source/WebCore/platform/graphics/filters/FilterEffect.cpp

@@ -4 +4 @@
  * Copyright (C) Research In Motion Limited 2010. All rights reserved.
  * Copyright (C) 2012 University of Szeged
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -260 +260 @@
     scaledPaintSize.scale(m_filter.filterScale());
 
+    if (!source || !destination)
+        return;
+
     // Initialize the destination to transparent black, if not entirely covered by the source.
     if (scaledRect.x() < 0 || scaledRect.y() < 0 || scaledRect.maxX() > scaledPaintSize.width() || scaledRect.maxY() > scaledPaintSize.height())
@@ -315 +318 @@
             inputSize.scale(m_filter.filterScale());
             m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized(inputSize.width() * inputSize.height() * 4);
+            if (!m_unmultipliedImageResult) {
+                WTFLogAlways("FilterEffect::copyUnmultipliedImage Unable to create buffer. Requested size was %d x %d\n", inputSize.width(), inputSize.height());
+                return;
+            }
             unsigned char* sourceComponent = m_premultipliedImageResult->data();
             unsigned char* destinationComponent = m_unmultipliedImageResult->data();
@@ -351 +358 @@
             inputSize.scale(m_filter.filterScale());
             m_premultipliedImageResult = Uint8ClampedArray::createUninitialized(inputSize.width() * inputSize.height() * 4);
+            if (!m_premultipliedImageResult) {
+                WTFLogAlways("FilterEffect::copyPremultipliedImage Unable to create buffer. Requested size was %d x %d\n", inputSize.width(), inputSize.height());
+                return;
+            }
             unsigned char* sourceComponent = m_unmultipliedImageResult->data();
             unsigned char* destinationComponent = m_premultipliedImageResult->data();