[webkit-changes] [WebKit/WebKit] 7bc1ae: ShadowBlur::blurLayerImage: fix out-of-bounds subs...
Kiet Ho
noreply at github.com
Tue Jul 23 21:49:08 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 7bc1ae1abbb9794991b86c7f21ee09a6a694691d
https://github.com/WebKit/WebKit/commit/7bc1ae1abbb9794991b86c7f21ee09a6a694691d
Author: Kiet Ho <tho22 at apple.com>
Date: 2024-07-23 (Tue, 23 Jul 2024)
Changed paths:
A LayoutTests/css3/filters/svg-filter-on-1px-element-expected.txt
A LayoutTests/css3/filters/svg-filter-on-1px-element.html
M Source/WebCore/platform/graphics/ShadowBlur.cpp
Log Message:
-----------
ShadowBlur::blurLayerImage: fix out-of-bounds subspan creation and wrong comparison
rdar://130755880
https://bugs.webkit.org/show_bug.cgi?id=276976
Reviewed by Chris Dumez.
If the input image is 1 pixel long on either dimension, the offset of `prev` subspan
is outside the bounds of `pixels`. If the input image is smaller than the box kernel
size, the offset of `next` subspan is outside the bounds of `pixels`. Catch either
case and treat the subspan as empty span to avoid crashing within std::span::subspan().
Also fixed a wrong comparison sign (<= is used instead of >=)
Tested by fuzzing the routine with input images and blur width/height between 1x1
and 100x100.
* LayoutTests/css3/filters/svg-filter-on-1px-element-expected.txt: Added.
* LayoutTests/css3/filters/svg-filter-on-1px-element.html: Added.
* Source/WebCore/platform/graphics/ShadowBlur.cpp:
(WebCore::ShadowBlur::blurLayerImage):
Canonical link: https://commits.webkit.org/281274@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list