[Webkit-unassigned] [Bug 66290] New: Passing invalid blur values through context2d setShadow causes large values in Skia
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Aug 16 04:17:16 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=66290
Summary: Passing invalid blur values through context2d
setShadow causes large values in Skia
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Windows Vista
Status: NEW
Severity: Normal
Priority: P1
Component: Canvas
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: skylined at chromium.org
CC: mdelaney at apple.com
Created an attachment (id=104022)
--> (https://bugs.webkit.org/attachment.cgi?id=104022&action=review)
Repro
Repro:
<script>
oCanvas=document.createElement("canvas");
oContext2d=oCanvas.getContext("2d");
oContext2d.setShadow(5,6,'l');
oContext2d.setLineWidth(6308.);
oContext2d.strokeText('$',0,0);
</script>
There is no sanity check in WebKit's WebCore::CanvasRenderingContext2D, WebCore::GraphicsContext or Skia's SkBlurMaskFilter code. We hit the first SkASSERT in the code below because radius is NaN.
skia\src\effects\skblurmaskfilter.cpp
SkBlurMaskFilterImpl::SkBlurMaskFilterImpl(SkScalar radius, SkBlurMaskFilter::BlurStyle style,
uint32_t flags)
: fRadius(radius), fBlurStyle(style), fBlurFlags(flags)
{
#if 0
fGamma = NULL;
if (gammaScale)
{
fGamma = new U8[256];
if (gammaScale > 0)
SkBlurMask::BuildSqrGamma(fGamma, gammaScale);
else
SkBlurMask::BuildSqrtGamma(fGamma, -gammaScale);
}
#endif
SkASSERT(radius >= 0);
SkASSERT((unsigned)style < SkBlurMaskFilter::kBlurStyleCount);
SkASSERT(flags <= SkBlurMaskFilter::kAll_BlurFlag);
}
The invalid radius is later used in SkBlurMaskFilterImpl::filterMask, where the code tries to limit it to a sane value:
bool SkBlurMaskFilterImpl::filterMask(SkMask* dst, const SkMask& src, const SkMatrix& matrix, SkIPoint* margin)
{
SkScalar radius;
if (fBlurFlags & SkBlurMaskFilter::kIgnoreTransform_BlurFlag)
radius = fRadius;
else
radius = matrix.mapRadius(fRadius);
// To avoid unseemly allocation requests (esp. for finite platforms like
// handset) we limit the radius so something manageable. (as opposed to
// a request like 10,000)
static const SkScalar MAX_RADIUS = SkIntToScalar(128);
radius = SkMinScalar(radius, MAX_RADIUS);
SkBlurMask::Quality blurQuality = (fBlurFlags & SkBlurMaskFilter::kHighQuality_BlurFlag) ?
SkBlurMask::kHigh_Quality : SkBlurMask::kLow_Quality;
if (SkBlurMask::Blur(dst, src, radius, (SkBlurMask::Style)fBlurStyle, blurQuality))
{
if (margin) {
// we need to integralize radius for our margin, so take the ceil
// just to be safe.
margin->set(SkScalarCeil(radius), SkScalarCeil(radius));
}
return true;
}
return false;
}
The code for "SkMinScalar" which is used to limit the value does not handle NaN:
inline SkScalar SkMinScalar(SkScalar a, SkScalar b) { return a < b ? a : b; }
In this case, the value will be set to MAX_RADIUS, which has let to OOM on some of my test machines.
I'm not sure which part(s) of the code is wrong; WebKit should probably throw an error when you specify an invalid blur value, but maybe Skia should just treat them as 0? I'll file bugs everywhere to get a discussion going.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list