[webkit-changes] [200760] branches/safari-601.1.46-branch/Source/WebCore

Thu, 12 May 2016 02:12:37 -0700

Title: [200760] branches/safari-601.1.46-branch/Source/WebCore
Revision
200760
Author
matthew_han...@apple.com
Date
2016-05-12 02:12:28 -0700 (Thu, 12 May 2016)

Log Message

Merge r199243. rdar://problem/26228921


Modified Paths

Diff

Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (200759 => 200760)


--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2016-05-12 09:12:26 UTC (rev 200759)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2016-05-12 09:12:28 UTC (rev 200760)
@@ -1,5 +1,23 @@
 2016-05-12  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r199243. rdar://problem/26228921
+
+    2016-04-08  Said Abou-Hallawa  <sabouhallawa@apple,com>
+
+            Timing attack on SVG feComposite filter circumvents same-origin policy
+            https://bugs.webkit.org/show_bug.cgi?id=154338
+
+            Reviewed by Oliver Hunt.
+
+            Ensure the FEComposite arithmetic filter is clamping the resulted color
+            components in a constant time.
+
+            * platform/graphics/filters/FEComposite.cpp:
+            (WebCore::clampByte):
+            (WebCore::computeArithmeticPixels):
+
+2016-05-12  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r199101. rdar://problem/26228884
 
     2016-04-06  Zalan Bujtas  <za...@apple.com>

Modified: branches/safari-601.1.46-branch/Source/WebCore/platform/graphics/filters/FEComposite.cpp (200759 => 200760)


--- branches/safari-601.1.46-branch/Source/WebCore/platform/graphics/filters/FEComposite.cpp	2016-05-12 09:12:26 UTC (rev 200759)
+++ branches/safari-601.1.46-branch/Source/WebCore/platform/graphics/filters/FEComposite.cpp	2016-05-12 09:12:28 UTC (rev 200760)
@@ -120,6 +120,13 @@
 
     forceValidPreMultipliedPixels();
 }
+    
+static unsigned char clampByte(int c)
+{
+    unsigned char buff[] = { static_cast<unsigned char>(c), 255, 0 };
+    unsigned uc = static_cast<unsigned>(c);
+    return buff[!!(uc & ~0xff) + !!(uc & ~(~0u >> 1))];
+}
 
 template <int b1, int b4>
 static inline void computeArithmeticPixels(unsigned char* source, unsigned char* destination, int pixelArrayLength,
@@ -141,12 +148,7 @@
         if (b4)
             result += scaledK4;
 
-        if (result <= 0)
-            *destination = 0;
-        else if (result >= 255)
-            *destination = 255;
-        else
-            *destination = result;
+        *destination = clampByte(result);
         ++source;
         ++destination;
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to