Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
WebContent may get killed due to invalid RemoteLayerTreeDrawingAreaPr…
…oxy_CommitLayerTree IPC message https://bugs.webkit.org/show_bug.cgi?id=260757 rdar://113860744 Reviewed by Aditya Keerthi. The fuzzer found a case where the RemoteLayerTreeDrawingAreaProxy_CommitLayerTree IPC message may fail decoding because its contains an invalid IntRect. After some investigation, I found that we didn't handle overflows in the arithmetics in Region::Shape::bounds(), which means that we could end up with an IntRect that had a negative width or height. In the fuzzer case, we ended up with the following values: minX=-2147483648, minY=3, maxX=62, maxY=2306 We would compute the width doing `62 - (-2147483648)` which would overflow and end up with a negative width. We now use checkedDifference<int32_t>() to detect overflows and clamp to std::numeric_limits<int32_t>::max() when it happens. * Source/WebCore/platform/graphics/Region.cpp: (WebCore::Region::Shape::bounds const): Originally-landed-as: 265870.452@safari-7616-branch (ca4f7c9). rdar://117809786 Canonical link: https://commits.webkit.org/270125@main
- Loading branch information