Cherry-pick 259548.70@safari-7615-branch (4f0cd71). https://bugs.webk…

…it.org/show_bug.cgi?id=247835 Fix use of uninitialized memory in TransformationMatrix decompose() https://bugs.webkit.org/show_bug.cgi?id=247835 <rdar://102263762> Reviewed by Dean Jackson. Fixes decompose4 to check for a failing return value from inverse, and early returns, rather than continuing with the output matrix uninitialized. Also adds WARN_UNUSED_RETURN to decompose2/4 to ensure that all callers handle this case. * Source/WebCore/Modules/webxr/WebXRRigidTransform.cpp: (WebCore::m_rawTransform): * Source/WebCore/animation/KeyframeEffect.cpp: (WebCore::KeyframeEffect::computeTransformedExtentViaTransformList const): (WebCore::KeyframeEffect::computeTransformedExtentViaMatrix const): * Source/WebCore/platform/graphics/transforms/RotateTransformOperation.cpp: (WebCore::RotateTransformOperation::blend): * Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp: (WebCore::decompose4): * Source/WebCore/platform/graphics/transforms/TransformationMatrix.h: Canonical link: https://commits.webkit.org/259548.70@safari-7615-branch
WebKit · Apr 3, 2023 · 5ea8890 · 5ea8890
1 parent 609a757
commit 5ea8890
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 10 deletions.
diff --git a/Source/WebCore/Modules/webxr/WebXRRigidTransform.cpp b/Source/WebCore/Modules/webxr/WebXRRigidTransform.cpp
@@ -105,7 +105,8 @@ WebXRRigidTransform::WebXRRigidTransform(const TransformationMatrix& transform)
     }
 
     TransformationMatrix::Decomposed4Type decomp = { };
-    transform.decompose4(decomp);
+    if (!transform.decompose4(decomp))
+        return;
 
     m_position = DOMPointReadOnly::create(decomp.translateX, decomp.translateY, decomp.translateZ, 1.0f);
 

diff --git a/Source/WebCore/animation/KeyframeEffect.cpp b/Source/WebCore/animation/KeyframeEffect.cpp
@@ -2136,9 +2136,8 @@ bool KeyframeEffect::computeTransformedExtentViaTransformList(const FloatRect& r
 
             if (operation->type() == TransformOperation::Type::Matrix || operation->type() == TransformOperation::Type::Matrix3D) {
                 TransformationMatrix::Decomposed2Type toDecomp;
-                transform.decompose2(toDecomp);
                 // Any rotation prevents us from using a simple start/end rect union.
-                if (toDecomp.angle)
+                if (!transform.decompose2(toDecomp) || toDecomp.angle)
                     return false;
             }
 
@@ -2161,9 +2160,8 @@ bool KeyframeEffect::computeTransformedExtentViaMatrix(const FloatRect& renderer
         return false;
 
     TransformationMatrix::Decomposed2Type fromDecomp;
-    transform.decompose2(fromDecomp);
     // Any rotation prevents us from using a simple start/end rect union.
-    if (fromDecomp.angle)
+    if (!transform.decompose2(fromDecomp) || fromDecomp.angle)
         return false;
 
     bounds = LayoutRect(transform.mapRect(bounds));

diff --git a/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp b/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp
@@ -3969,7 +3969,8 @@ void GraphicsLayerCA::updateRootRelativeScale()
         if (transform.isIdentityOrTranslation())
             return 1;
         TransformationMatrix::Decomposed2Type decomposeData;
-        transform.decompose2(decomposeData);
+        if (!transform.decompose2(decomposeData))
+            return 1;
         return std::max(std::abs(decomposeData.scaleX), std::abs(decomposeData.scaleY));
     };
 

diff --git a/Source/WebCore/platform/graphics/transforms/RotateTransformOperation.cpp b/Source/WebCore/platform/graphics/transforms/RotateTransformOperation.cpp
@@ -108,7 +108,10 @@ Ref<TransformOperation> RotateTransformOperation::blend(const TransformOperation
 
     // Extract the result as a quaternion
     TransformationMatrix::Decomposed4Type decomp;
-    toT.decompose4(decomp);
+    if (!toT.decompose4(decomp)) {
+        const RotateTransformOperation* usedOperation = context.progress > 0.5 ? this : fromOp;
+        return RotateTransformOperation::create(usedOperation->x(), usedOperation->y(), usedOperation->z(), usedOperation->angle(), TransformOperation::Type::Rotate3D);
+    }
 
     // Convert that to Axis/Angle form
     double x = -decomp.quaternionX;

diff --git a/Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp b/Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp
@@ -503,7 +503,8 @@ static bool decompose4(const TransformationMatrix::Matrix4& mat, TransformationM
         // rightHandSide by the inverse. (This is the easiest way, not
         // necessarily the best.)
         TransformationMatrix::Matrix4 inversePerspectiveMatrix, transposedInversePerspectiveMatrix;
-        inverse(perspectiveMatrix, inversePerspectiveMatrix);
+        if (!inverse(perspectiveMatrix, inversePerspectiveMatrix))
+            return false;
         transposeMatrix4(inversePerspectiveMatrix, transposedInversePerspectiveMatrix);
 
         Vector4 perspectivePoint;

diff --git a/Source/WebCore/platform/graphics/transforms/TransformationMatrix.h b/Source/WebCore/platform/graphics/transforms/TransformationMatrix.h
@@ -329,10 +329,10 @@ class TransformationMatrix {
         }
     };
 
-    bool decompose2(Decomposed2Type&) const;
+    bool decompose2(Decomposed2Type&) const WARN_UNUSED_RETURN;
     void recompose2(const Decomposed2Type&);
 
-    bool decompose4(Decomposed4Type&) const;
+    bool decompose4(Decomposed4Type&) const WARN_UNUSED_RETURN;
     void recompose4(const Decomposed4Type&);
 
     WEBCORE_EXPORT void blend(const TransformationMatrix& from, double progress, CompositeOperation = CompositeOperation::Replace);