WebContent may get killed due to invalid RemoteLayerTreeDrawingAreaPr…

…oxy_CommitLayerTree IPC message https://bugs.webkit.org/show_bug.cgi?id=260757 rdar://113860744 Reviewed by Aditya Keerthi. The fuzzer found a case where the RemoteLayerTreeDrawingAreaProxy_CommitLayerTree IPC message may fail decoding because its contains an invalid IntRect. After some investigation, I found that we didn't handle overflows in the arithmetics in Region::Shape::bounds(), which means that we could end up with an IntRect that had a negative width or height. In the fuzzer case, we ended up with the following values: minX=-2147483648, minY=3, maxX=62, maxY=2306 We would compute the width doing `62 - (-2147483648)` which would overflow and end up with a negative width. We now use checkedDifference<int32_t>() to detect overflows and clamp to std::numeric_limits<int32_t>::max() when it happens. * Source/WebCore/platform/graphics/Region.cpp: (WebCore::Region::Shape::bounds const): Originally-landed-as: 265870.452@safari-7616-branch (ca4f7c9). rdar://117809786 Canonical link: https://commits.webkit.org/270125@main
WebKit · Nov 2, 2023 · cdb96bc · cdb96bc
1 parent 0dadce5
commit cdb96bc
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/Source/WebCore/platform/graphics/Region.cpp b/Source/WebCore/platform/graphics/Region.cpp
@@ -414,7 +414,9 @@ IntRect Region::Shape::bounds() const
     ASSERT(minX <= maxX);
     ASSERT(minY <= maxY);
 
-    return IntRect(minX, minY, maxX - minX, maxY - minY);
+    CheckedInt32 width = checkedDifference<int32_t>(maxX, minX);
+    CheckedInt32 height = checkedDifference<int32_t>(maxY, minY);
+    return IntRect(minX, minY, width.hasOverflowed() ? std::numeric_limits<int32_t>::max() : width.value(), height.hasOverflowed() ? std::numeric_limits<int32_t>::max() : height.value());
 }
 
 void Region::Shape::translate(const IntSize& offset)