[Webkit-unassigned] [Bug 34566] Security: WebCore::FEMorphology::apply memmove ReadAV at NULL (ec3ed2d76f7904e1c4df8ea3b1dd07e6)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 19 16:01:08 PDT 2010


--- Comment #5 from Justin Schuh <jschuh at chromium.org>  2010-03-19 16:01:07 PST ---
(In reply to comment #4)
> (From update of attachment 51073 [details])
> What happens if you throw very large radiuses at this filter?  Can you add
> large radius tests as well? say 2^8, 2^16, 2^24, etc (and possibly  2^8-1, etc
> as well)

I can add test conditions for integer boundaries. However, the math is all
32-bit ints, so the INT_MIN/INT_MAX boundaries are the only ones that make

There is one other potential trouble spot I noticed in FEMorphology::apply()
while following in the debugger. It's possible to saturate radiusX and radiusY
when converting to int, which produces the value INT_MIN. It won't actually
trigger any security issues, but future changes could cause problems. So, I'm
adding a range check there as well.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list