[webkit-changes] [WebKit/WebKit] 3cfb65: Fix buffer overflow in FEConvolveMatrixSoftwareApp...

Chirag Shah noreply at github.com
Thu May 25 10:59:11 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 3cfb6575ec08a8458894f6323ab09cd03e2475a0
      https://github.com/WebKit/WebKit/commit/3cfb6575ec08a8458894f6323ab09cd03e2475a0
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-05-25 (Thu, 25 May 2023)

  Changed paths:
    A LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash-expected.txt
    A LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash.html
    M Source/WebCore/platform/graphics/filters/FEConvolveMatrix.cpp
    M Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp
    M Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h
    M Source/WebCore/svg/SVGFEConvolveMatrixElement.cpp
    M Source/WebCore/svg/SVGFEConvolveMatrixElement.h

  Log Message:
  -----------
  Fix buffer overflow in FEConvolveMatrixSoftwareApplier
https://bugs.webkit.org/show_bug.cgi?id=253721
rdar://109800117

Reviewed by Said Abou-Hallawa.

This change fixes a buffer overflow issue in the
FEConvolveMatrixSoftwareApplier code which happens when dealing with the
interior area and setting the destination pixels. This happens because
when the targetX/targetY doesn't fit in the convolution kernel, we don't
clip it, and that ends up moving the pixel offset by more than what is
needed. This change fixes that by making sure that when the SVG
attribute changes, we detect the invalid offset and rebuild the filter.

* LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash-expected.txt: Added.
* LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash.html: Added.
* Source/WebCore/platform/graphics/filters/FEConvolveMatrix.cpp:
(WebCore::FEConvolveMatrix::FEConvolveMatrix):
* Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp:
(WebCore::FEConvolveMatrixSoftwareApplier::FEConvolveMatrixSoftwareApplier):
* Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h:
* Source/WebCore/svg/SVGFEConvolveMatrixElement.cpp:
(WebCore::SVGFEConvolveMatrixElement::isValidTargetXOffset const):
(WebCore::SVGFEConvolveMatrixElement::isValidTargetYOffset const):
(WebCore::SVGFEConvolveMatrixElement::svgAttributeChanged):
(WebCore::SVGFEConvolveMatrixElement::createFilterEffect const):
* Source/WebCore/svg/SVGFEConvolveMatrixElement.h:

Originally-landed-as: 259548.425 at safari-7615-branch (499c0bf6a8a9). rdar://97909186
Canonical link: https://commits.webkit.org/264527@main

More information about the webkit-changes mailing list