Bug 220584 - createImageBitmap() causes null pointer dereference using Cairo lib
Summary: createImageBitmap() causes null pointer dereference using Cairo lib
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Fujii Hironori
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-01-13 03:21 PST by wz906234737
Modified: 2021-04-22 07:37 PDT (History)
12 users (show)

See Also:

Attachments
the script caused crash (156 bytes, text/plain)
2021-01-13 03:21 PST, wz906234737 		no flags Details
WIP patch (1.12 KB, patch)
2021-01-14 23:35 PST, Fujii Hironori 		no flags Details | Formatted Diff | Diff
Patch (6.30 KB, patch)
2021-01-17 21:32 PST, Fujii Hironori 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description wz906234737 2021-01-13 03:21:45 PST 
Created attachment 417519 [details]
the script caused crash

1. Reproduce of crash: 

(1) open inspector window and run the script below in the console;
(2) the script is:
// ==========================================
(function () {
    const _1 = 32769;
    const _0 = new ImageData(1, _1);
    const _3 = {resizeHeight: 1};
    return createImageBitmap(_0, _3);
})();
// ==========================================

change `_1` less than 32768 will be safe.

the critical point `32768` would cause crash on `debug` version, but OK on `release` version.

 
2. Analysis
I found the crash was caused by a null pointer dereference in `Source/WebCore/html/ImageBitmap.cpp:823`.

Because the `Cairo` library limit image width and height less than 32768, and will return nullptr if larger than the limit. 

The limit `cairoMaxImageSize` defined in `Source/WebCore/platform/graphics/ImageBackingStore.h:39`
The function `create` defined in `Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp:44`

part of the code that returns nullptr

```
// ========== Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp:50 ==========

    IntSize backendSize = calculateBackendSize(parameters.logicalSize, parameters.resolutionScale);
    if (backendSize.isEmpty() || backendSize.width() > cairoMaxImageSize || backendSize.height() > cairoMaxImageSize)
        return nullptr;
 
```
Comment 1 wz906234737 2021-01-13 03:25:54 PST 
The code that dereference nullptr

```
// ============== Source/WebCore/html/ImageBitmap.cpp:822 ===============

    auto tempBitmapData = createImageBuffer(scriptExecutionContext, imageData->size(), bufferRenderingMode);

// `tempBitmapData` createImageBuffer(...) fail and return a nullptr ====

    tempBitmapData->putImageData(AlphaPremultiplication::Unpremultiplied, *imageData, IntRect(0, 0, imageData->width(), imageData->height()), { }, alphaPremultiplication);
// ======================================================================
Comment 2 Fujii Hironori 2021-01-14 23:35:56 PST 
Created attachment 417678 [details]
WIP patch
Comment 3 Fujii Hironori 2021-01-17 21:32:17 PST 
Created attachment 417792 [details]
Patch
Comment 4 Fujii Hironori 2021-01-18 12:13:17 PST 
Comment on attachment 417792 [details]
Patch

Clearing flags on attachment: 417792

Committed r271583: <https://trac.webkit.org/changeset/271583>
Comment 5 Fujii Hironori 2021-01-18 12:13:21 PST 
All reviewed patches have been landed.  Closing bug.
Comment 6 Radar WebKit Bug Importer 2021-01-18 12:14:15 PST 
<rdar://problem/73327997>