[Webkit-unassigned] [Bug 220584] New: createImageBitmap() causes null pointer dereference using Cairo lib

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 13 03:21:45 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=220584

            Bug ID: 220584
           Summary: createImageBitmap() causes null pointer dereference
                    using Cairo lib
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: wz906234737 at gmail.com

Created attachment 417519

  --> https://bugs.webkit.org/attachment.cgi?id=417519&action=review

the script caused crash

1. Reproduce of crash: 

(1) open inspector window and run the script below in the console;
(2) the script is:
// ==========================================
(function () {
    const _1 = 32769;
    const _0 = new ImageData(1, _1);
    const _3 = {resizeHeight: 1};
    return createImageBitmap(_0, _3);
})();
// ==========================================

change `_1` less than 32768 will be safe.

the critical point `32768` would cause crash on `debug` version, but OK on `release` version.


2. Analysis
I found the crash was caused by a null pointer dereference in `Source/WebCore/html/ImageBitmap.cpp:823`.

Because the `Cairo` library limit image width and height less than 32768, and will return nullptr if larger than the limit. 

The limit `cairoMaxImageSize` defined in `Source/WebCore/platform/graphics/ImageBackingStore.h:39`
The function `create` defined in `Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp:44`

part of the code that returns nullptr

```
// ========== Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp:50 ==========

    IntSize backendSize = calculateBackendSize(parameters.logicalSize, parameters.resolutionScale);
    if (backendSize.isEmpty() || backendSize.width() > cairoMaxImageSize || backendSize.height() > cairoMaxImageSize)
        return nullptr;

```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210113/89e07de3/attachment-0001.htm>

More information about the webkit-unassigned mailing list