Cherry-pick 267815.608@safari-7617-branch (e09e3cd). https://bugs.web…

…kit.org/show_bug.cgi?id=264978 heap-buffer-overflow: crash under WebCore::ShadowBlur::blurLayerImage(). https://bugs.webkit.org/show_bug.cgi?id=264978 rdar://118004762. Reviewed by Simon Fraser. For very large box-shadow sizes due to floating point precision error, ImageBuffer::getPixelBuffer returns 'PixelBuffer' size which is not same as passed size.This causes buffer overflow/underflow issue for these large sizes. In order to fix it now we use same size as allocated 'PixelBuffer' size even though it could be slightly different than original size. * LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt: Added test expected file. * LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html: Added test case. * Source/WebCore/platform/graphics/ShadowBlur.cpp: (WebCore::ShadowBlur::blurShadowBuffer): Using same size as allocated pixel buffer size. Canonical link: https://commits.webkit.org/267815.608@safari-7617-branch
WebKit · Jan 23, 2024 · 1e49f24 · 1e49f24
1 parent a725227
commit 1e49f24
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 1 deletion.
diff --git a/LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt b/LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt
@@ -0,0 +1 @@
+This test passes if test doesn't crash.
diff --git a/LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html b/LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <style>
+        div {
+            box-shadow: blue 1.76px 0px 10px 24px inset;
+            width: 33554432px;
+            height: 33554432px;
+            border-radius: 5px;
+            filter: sepia(1);
+        }
+    </style>
+    <script src="../../resources/ui-helper.js"></script>
+    <script>
+        if (window.testRunner) {
+            testRunner.dumpAsText();
+            testRunner.waitUntilDone();
+        }
+
+        window.addEventListener('load', async () => {
+            await UIHelper.renderingUpdate();
+            testRunner.notifyDone();
+        }, false);
+    </script>
+</head>
+<body>
+    <div></div>
+    <p>This test passes if test doesn't crash.</p>
+</body>
+</html>
diff --git a/Source/WebCore/platform/graphics/ShadowBlur.cpp b/Source/WebCore/platform/graphics/ShadowBlur.cpp
@@ -897,7 +897,7 @@ void ShadowBlur::blurShadowBuffer(ImageBuffer& layerImage, const IntSize& templa
     if (!layerData)
         return;
 
-    blurLayerImage(layerData->bytes(), blurRect.size(), blurRect.width() * 4);
+    blurLayerImage(layerData->bytes(), layerData->size(), layerData->size().width() * 4);
     layerImage.putPixelBuffer(*layerData, blurRect);
 }