[webkit-changes] [WebKit/WebKit] 84ae5a: Add more validation to Region IPC decoding

Kimmo Kinnunen noreply at github.com
Fri Jan 10 10:54:49 PST 2025 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 84ae5a0d957b884a72eaaa2bef43aec2ec59f482
      https://github.com/WebKit/WebKit/commit/84ae5a0d957b884a72eaaa2bef43aec2ec59f482
  Author: Kimmo Kinnunen <kkinnunen at apple.com>
  Date:   2025-01-10 (Fri, 10 Jan 2025)

  Changed paths:
    M Source/WebCore/platform/graphics/Region.cpp
    M Source/WebCore/platform/graphics/Region.h
    M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
    M Tools/TestWebKitAPI/CMakeLists.txt
    M Tools/TestWebKitAPI/Test.h
    M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
    A Tools/TestWebKitAPI/Tests/WebCore/RegionTests.cpp

  Log Message:
  -----------
  Add more validation to Region IPC decoding
https://bugs.webkit.org/show_bug.cgi?id=281040
rdar://136142756

Reviewed by Antti Koivisto.

Region::Shape algorithm is sensitive to the array structure. Validate
the data correctly.

Instead of encoding the bounds and the Shape data, just encode the
shape data. It fully defines the Region.

Use <=> in place of nextY - Y in order to avoid signed integer wrapping
and ensuring that the algorithm works correctly with negative Ys.

* Source/WebCore/platform/graphics/Region.cpp:
(WebCore::Region::rects const):
(WebCore::Region::Shape::Shape):
(WebCore::operator<<):
(WebCore::Region::Shape::shapeOperation):
(WebCore::segmentsForSpanSegmentIndices):
(WebCore::Region::Shape::isValidShape):
(WebCore::m_spans): Deleted.
(WebCore::Region::Shape::appendSegment): Deleted.
(WebCore::Region::Shape::dump const): Deleted.
(WebCore::Region::dump const): Deleted.
(WebCore::Region::Shape::isValid const): Deleted.
* Source/WebCore/platform/graphics/Region.h:
(WebCore::Region::Shape::createForTesting):
(WebCore::Region::Shape::dataForTesting const):
(WebCore::Region::createForTesting):
(WebCore::Region::dataForTesting const):
(WebCore::Region::Region):
(WebCore::Region::data const):
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
* Tools/TestWebKitAPI/CMakeLists.txt:
* Tools/TestWebKitAPI/Test.h:
(WTF::operator<<):
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WebCore/RegionTests.cpp: Added.
(convertToString):
(convertToTrimmedString):
(WebCore::operator<<):
(TestWebKitAPI::TEST(r, ShapeEmptyIsRepresentable)):
(TestWebKitAPI::TEST(RegionTests, ShapeEmptyIsEmpty)):
(TestWebKitAPI::TEST(RegionTests, IsValidShapeFalse)):
(TestWebKitAPI::TEST(RegionTests, UniteTests1)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatIndividual)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatDisjoint)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestJointXMergeable)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestJointYMergeable)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestJointX)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestJointY)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestEvenSegments)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestSortedSpan)):
(TestWebKitAPI::randomRect):
(TestWebKitAPI::TEST(RegionTests, FuzzOperationsIsValidShape)):
(TestWebKitAPI::TEST(RegionTests, IsValidShape1)):
(TestWebKitAPI::TEST(RegionTests, IsValidShape2)):

Originally-landed-as: 283286.236 at safari-7620-branch (c5f45c2aa95e). rdar://141319750
Canonical link: https://commits.webkit.org/288720@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list