[webkit-changes] [WebKit/WebKit] 59e4b7: Crash happens when applying filter and drawing tex...

Said Abou-Hallawa noreply at github.com
Tue Sep 10 17:45:06 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 59e4b7c01999eaea1db9614660906c0ca6b57c34
      https://github.com/WebKit/WebKit/commit/59e4b7c01999eaea1db9614660906c0ca6b57c34
  Author: Said Abou-Hallawa <said at apple.com>
  Date:   2024-09-10 (Tue, 10 Sep 2024)

  Changed paths:
    A LayoutTests/fast/canvas/canvas-filter-text-drawing-expected.html
    A LayoutTests/fast/canvas/canvas-filter-text-drawing.html
    A LayoutTests/fast/canvas/canvas-layer-filter-text-drawing-expected.html
    A LayoutTests/fast/canvas/canvas-layer-filter-text-drawing.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp

  Log Message:
  -----------
  Crash happens when applying filter and drawing text in 2D canvas
https://bugs.webkit.org/show_bug.cgi?id=279348
rdar://135455808

Reviewed by Simon Fraser.

CanvasRenderingContext2DBase::drawTextUnchecked() calls fontProxy() which returns
a pointer to state().font. Then drawTextUnchecked() calls save() through
CanvasFilterContextSwitcher::create(). This save() appends a new state to
m_stateStack. Vector::append() may reallocate its buffer. Reallocating the buffer
will make the pointer to fontProxy() invalid. This causes a crash when accessing
the members of fontProxy.

To fix this make sure, CanvasRenderingContext2D::fontProxy() is called after
calling CanvasFilterContextSwitcher::create().

* LayoutTests/fast/canvas/canvas-filter-text-drawing-expected.html: Added.
* LayoutTests/fast/canvas/canvas-filter-text-drawing.html: Added.
* LayoutTests/fast/canvas/canvas-layer-filter-text-drawing-expected.html: Added.
* LayoutTests/fast/canvas/canvas-layer-filter-text-drawing.html: Added.
* LayoutTests/platform/glib/TestExpectations:
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::drawTextUnchecked):

Canonical link: https://commits.webkit.org/283451@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list