Bug 220584

Summary: createImageBitmap() causes null pointer dereference using Cairo lib
Product: WebKit Reporter: wz906234737
Component: DOMAssignee: Fujii Hironori <Hironori.Fujii>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, cgarcia, changseok, don.olmstead, esprehn+autocc, ews-watchlist, gyuyoung.kim, Hironori.Fujii, kbr, sabouhallawa, webkit-bug-importer, zyscoder
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
the script caused crash
none
WIP patch
none
Patch none

Description wz906234737 2021-01-13 03:21:45 PST 
Created attachment 417519 [details]
the script caused crash

1. Reproduce of crash: 

(1) open inspector window and run the script below in the console;
(2) the script is:
// ==========================================
(function () {
    const _1 = 32769;
    const _0 = new ImageData(1, _1);
    const _3 = {resizeHeight: 1};
    return createImageBitmap(_0, _3);
})();
// ==========================================

change `_1` less than 32768 will be safe.

the critical point `32768` would cause crash on `debug` version, but OK on `release` version.

 
2. Analysis
I found the crash was caused by a null pointer dereference in `Source/WebCore/html/ImageBitmap.cpp:823`.

Because the `Cairo` library limit image width and height less than 32768, and will return nullptr if larger than the limit. 

The limit `cairoMaxImageSize` defined in `Source/WebCore/platform/graphics/ImageBackingStore.h:39`
The function `create` defined in `Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp:44`

part of the code that returns nullptr

```
// ========== Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp:50 ==========

    IntSize backendSize = calculateBackendSize(parameters.logicalSize, parameters.resolutionScale);
    if (backendSize.isEmpty() || backendSize.width() > cairoMaxImageSize || backendSize.height() > cairoMaxImageSize)
        return nullptr;
 
```
Comment 1 wz906234737 2021-01-13 03:25:54 PST 
The code that dereference nullptr

```
// ============== Source/WebCore/html/ImageBitmap.cpp:822 ===============

    auto tempBitmapData = createImageBuffer(scriptExecutionContext, imageData->size(), bufferRenderingMode);

// `tempBitmapData` createImageBuffer(...) fail and return a nullptr ====

    tempBitmapData->putImageData(AlphaPremultiplication::Unpremultiplied, *imageData, IntRect(0, 0, imageData->width(), imageData->height()), { }, alphaPremultiplication);
// ======================================================================
Comment 2 Fujii Hironori 2021-01-14 23:35:56 PST 
Created attachment 417678 [details]
WIP patch
Comment 3 Fujii Hironori 2021-01-17 21:32:17 PST 
Created attachment 417792 [details]
Patch
Comment 4 Fujii Hironori 2021-01-18 12:13:17 PST 
Comment on attachment 417792 [details]
Patch

Clearing flags on attachment: 417792

Committed r271583: <https://trac.webkit.org/changeset/271583>
Comment 5 Fujii Hironori 2021-01-18 12:13:21 PST 
All reviewed patches have been landed.  Closing bug.
Comment 6 Radar WebKit Bug Importer 2021-01-18 12:14:15 PST 
<rdar://problem/73327997>