[Webkit-unassigned] [Bug 61603] FEConcolveMatrix::getPixelValue() is range checking x against height, instead of y, when determining if a pixel is in bounds
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri May 27 02:02:18 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=61603
--- Comment #8 from Ryan Sleevi <rsleevi at chromium.org> 2011-05-27 02:02:17 PST ---
I've attached a simple test that generates visibly different results with and without the fix.
First, the logic begins with setOuterPixels/fastSetOuterPixels called with x1=0,y1=0,x1=width,y1=targetY in FEConvolveMatrix::apply()
In a 3x3 kernelMatrix, order is 3 3, and the default targetY of floor(3/2) == 1 is used.
When fastSetOuterPixels is called, it initializes startKernelPixelY = y1 - targetY. For the first row, this is 0 - 1, or startKernelPixelY = -1.
During the inner-most loop of fastSetOuterPixels, it calls getPixelValue with kernelPixelX, kernelPixelY. The initial value of kernelPixelY is startKernelPixelY, or -1.
As a result, getPixelValue is invoked with (-1,-1) for the pixel at (0,0), (0,-1) for the pixel at (1, 0), etc. For the entire row, y is -1
Note, this is *NOT* a crash. This is because pixelIndex, returned as a negative value, is *not* used in fastSetOuterPixels. Instead, fastSetOuterPixels performs no illegal accesses due to pixelIndex being negative - it is properly checked at all times. However, because of the negative value, the totals are all 0, instead of their expected values, which is the result of the pixel from the row beneath. This is why I uploaded a pixel test.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list