[Webkit-unassigned] [Bug 132635] New: Using a fill pattern much larger than actual canvas reliably segfaults browser
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 6 17:36:39 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=132635
Summary: Using a fill pattern much larger than actual canvas
reliably segfaults browser
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: Canvas
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: stephen.judkins at gmail.com
Created an attachment (id=230959)
--> (https://bugs.webkit.org/attachment.cgi?id=230959&action=review)
Stack trace on crashing Safari process, OS X
The following code will reliably crash Safari or a UI WebView on iOS or OS X:
```
var canvas, ctx, pattern, patternCanvas, ratio;
ratio = 50;
canvas = document.createElement("canvas");
size = document.body.getBoundingClientRect()
canvas.width = size.width * devicePixelRatio;
canvas.height = size.height * devicePixelRatio;
patternCanvas = document.createElement('canvas');
patternCanvas.width = Math.floor(canvas.width * ratio);
patternCanvas.height = Math.floor(canvas.height * ratio);
ctx = canvas.getContext("2d");
pattern = ctx.createPattern(patternCanvas, 'repeat');
ctx.rect(0, 0, canvas.width, canvas.height);
ctx.fillStyle = pattern;
ctx.fill();
```
This appears to cause a null pointer deference in `WebCore::Pattern::createPlatformPattern` because `tileImage` is not set. See attached stack trace.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list