[Webkit-unassigned] [Bug 66290] New: Passing invalid blur values through context2d setShadow causes large values in Skia

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Aug 16 04:17:16 PDT 2011


https://bugs.webkit.org/show_bug.cgi?id=66290

           Summary: Passing invalid blur values through context2d
                    setShadow causes large values in Skia
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: Canvas
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: mdelaney at apple.com


Created an attachment (id=104022)
 --> (https://bugs.webkit.org/attachment.cgi?id=104022&action=review)
Repro

Repro:
<script>
  oCanvas=document.createElement("canvas");
  oContext2d=oCanvas.getContext("2d");
  oContext2d.setShadow(5,6,'l');
  oContext2d.setLineWidth(6308.);
  oContext2d.strokeText('$',0,0);
</script>

There is no sanity check in WebKit's WebCore::CanvasRenderingContext2D, WebCore::GraphicsContext or Skia's SkBlurMaskFilter code. We hit the first SkASSERT in the code below because radius is NaN.

skia\src\effects\skblurmaskfilter.cpp
SkBlurMaskFilterImpl::SkBlurMaskFilterImpl(SkScalar radius, SkBlurMaskFilter::BlurStyle style,
                                           uint32_t flags)
    : fRadius(radius), fBlurStyle(style), fBlurFlags(flags)
{
#if 0
    fGamma = NULL;
    if (gammaScale)
    {
        fGamma = new U8[256];
        if (gammaScale > 0)
            SkBlurMask::BuildSqrGamma(fGamma, gammaScale);
        else
            SkBlurMask::BuildSqrtGamma(fGamma, -gammaScale);
    }
#endif
    SkASSERT(radius >= 0);
    SkASSERT((unsigned)style < SkBlurMaskFilter::kBlurStyleCount);
    SkASSERT(flags <= SkBlurMaskFilter::kAll_BlurFlag);
}

The invalid radius is later used in SkBlurMaskFilterImpl::filterMask, where the code tries to limit it to a sane value:

bool SkBlurMaskFilterImpl::filterMask(SkMask* dst, const SkMask& src, const SkMatrix& matrix, SkIPoint* margin)
{
    SkScalar radius;
    if (fBlurFlags & SkBlurMaskFilter::kIgnoreTransform_BlurFlag)
        radius = fRadius;
    else
        radius = matrix.mapRadius(fRadius);

    // To avoid unseemly allocation requests (esp. for finite platforms like
    // handset) we limit the radius so something manageable. (as opposed to
    // a request like 10,000)
    static const SkScalar MAX_RADIUS = SkIntToScalar(128);
    radius = SkMinScalar(radius, MAX_RADIUS);
    SkBlurMask::Quality blurQuality = (fBlurFlags & SkBlurMaskFilter::kHighQuality_BlurFlag) ?
        SkBlurMask::kHigh_Quality : SkBlurMask::kLow_Quality;

    if (SkBlurMask::Blur(dst, src, radius, (SkBlurMask::Style)fBlurStyle, blurQuality))
    {
        if (margin) {
            // we need to integralize radius for our margin, so take the ceil
            // just to be safe.
            margin->set(SkScalarCeil(radius), SkScalarCeil(radius));
        }
        return true;
    }
    return false;
}

The code for "SkMinScalar" which is used to limit the value does not handle NaN:

inline SkScalar SkMinScalar(SkScalar a, SkScalar b) { return a < b ? a : b; }

In this case, the value will be set to MAX_RADIUS, which has let to OOM on some of my test machines.

I'm not sure which part(s) of the code is wrong; WebKit should probably throw an error when you specify an invalid blur value, but maybe Skia should just treat them as 0? I'll file bugs everywhere to get a discussion going.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list