[webkit-changes] [293160] releases/WebKitGTK/webkit-2.36/Source/WebCore

[carlosgc]

Title: [293160] releases/WebKitGTK/webkit-2.36/Source/WebCore

Revision

293160

Author

carlo...@webkit.org

Date

2022-04-21 02:51:44 -0700 (Thu, 21 Apr 2022)

Log Message

Merge r292901 - [GTK] AddressSanitizer: heap-buffer-overflow in WebCore::Length::ref()
https://bugs.webkit.org/show_bug.cgi?id=237389

Reviewed by Žan Doberšek.

* platform/graphics/nicosia/NicosiaAnimation.cpp:
(Nicosia::createThreadsafeKeyFrames): Convert Length members of transform functions to
the fixed variety before they are moved to separate threads.
(Nicosia::Animation::Animation): Use the new helper.
* platform/graphics/transforms/TranslateTransformOperation.h: Added setters.

Modified Paths

• releases/WebKitGTK/webkit-2.36/Source/WebCore/ChangeLog
• releases/WebKitGTK/webkit-2.36/Source/WebCore/platform/graphics/nicosia/NicosiaAnimation.cpp
• releases/WebKitGTK/webkit-2.36/Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h

Diff

Modified: releases/WebKitGTK/webkit-2.36/Source/WebCore/ChangeLog (293159 => 293160)

--- releases/WebKitGTK/webkit-2.36/Source/WebCore/ChangeLog	2022-04-21 09:51:40 UTC (rev 293159)
+++ releases/WebKitGTK/webkit-2.36/Source/WebCore/ChangeLog	2022-04-21 09:51:44 UTC (rev 293160)
@@ -1,3 +1,16 @@
+2022-04-14  Martin Robinson  <mrobin...@webkit.org>
+
+        [GTK] AddressSanitizer: heap-buffer-overflow in WebCore::Length::ref()
+        https://bugs.webkit.org/show_bug.cgi?id=237389
+
+        Reviewed by Žan Doberšek.
+
+        * platform/graphics/nicosia/NicosiaAnimation.cpp:
+        (Nicosia::createThreadsafeKeyFrames): Convert Length members of transform functions to
+        the fixed variety before they are moved to separate threads.
+        (Nicosia::Animation::Animation): Use the new helper.
+        * platform/graphics/transforms/TranslateTransformOperation.h: Added setters.
+
 2022-04-01  Carlos Garcia Campos  <cgar...@igalia.com>
 
         REGRESSION(r290360): [GLX] Crash on process exit

Modified: releases/WebKitGTK/webkit-2.36/Source/WebCore/platform/graphics/nicosia/NicosiaAnimation.cpp (293159 => 293160)

--- releases/WebKitGTK/webkit-2.36/Source/WebCore/platform/graphics/nicosia/NicosiaAnimation.cpp	2022-04-21 09:51:40 UTC (rev 293159)
+++ releases/WebKitGTK/webkit-2.36/Source/WebCore/platform/graphics/nicosia/NicosiaAnimation.cpp	2022-04-21 09:51:44 UTC (rev 293160)
@@ -21,6 +21,7 @@
 #include "NicosiaAnimation.h"
 
 #include "LayoutSize.h"
+#include "TranslateTransformOperation.h"
 
 namespace Nicosia {
 
@@ -166,9 +167,35 @@
     return CubicBezierTimingFunction::defaultTimingFunction();
 }
 
+static KeyframeValueList createThreadsafeKeyFrames(const KeyframeValueList& originalKeyframes, const FloatSize& boxSize)
+{
+    if (originalKeyframes.property() != AnimatedPropertyTransform)
+        return originalKeyframes;
+
+    // Currently translation operations are the only transform operations that store a non-fixed
+    // Length. Some Lengths, in particular those for calc() operations, are not thread-safe or
+    // multiprocess safe, because they maintain indices into a shared HashMap of CalculationValues.
+    // This code converts all possible unsafe Length parameters to fixed Lengths, which are safe to
+    // use in other threads and across IPC channels.
+    KeyframeValueList keyframes = originalKeyframes;
+    for (unsigned i = 0; i < keyframes.size(); i++) {
+        const auto& transformValue = static_cast<const TransformAnimationValue&>(keyframes.at(i));
+        for (auto& operation : transformValue.value().operations()) {
+            if (is<TranslateTransformOperation>(operation)) {
+                TranslateTransformOperation* translation = static_cast<TranslateTransformOperation*>(operation.get());
+                translation->setX(Length(translation->xAsFloat(boxSize), LengthType::Fixed));
+                translation->setY(Length(translation->yAsFloat(boxSize), LengthType::Fixed));
+                translation->setZ(Length(translation->zAsFloat(), LengthType::Fixed));
+            }
+        }
+    }
+
+    return keyframes;
+}
+
 Animation::Animation(const String& name, const KeyframeValueList& keyframes, const FloatSize& boxSize, const WebCore::Animation& animation, bool listsMatch, MonotonicTime startTime, Seconds pauseTime, AnimationState state)
     : m_name(name.isSafeToSendToAnotherThread() ? name : name.isolatedCopy())
-    , m_keyframes(keyframes)
+    , m_keyframes(createThreadsafeKeyFrames(keyframes, boxSize))
     , m_boxSize(boxSize)
     , m_timingFunction(animation.timingFunction()->clone())
     , m_iterationCount(animation.iterationCount())

Modified: releases/WebKitGTK/webkit-2.36/Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h (293159 => 293160)

--- releases/WebKitGTK/webkit-2.36/Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h	2022-04-21 09:51:40 UTC (rev 293159)
+++ releases/WebKitGTK/webkit-2.36/Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h	2022-04-21 09:51:44 UTC (rev 293160)
@@ -58,6 +58,10 @@
     Length y() const { return m_y; }
     Length z() const { return m_z; }
 
+    void setX(Length newX) { m_x = newX; }
+    void setY(Length newY) { m_y = newY; }
+    void setZ(Length newZ) { m_z = newZ; }
+
     OperationType primitiveType() const final { return isRepresentableIn2D() ? TRANSLATE : TRANSLATE_3D; }
 
     bool apply(TransformationMatrix& transform, const FloatSize& borderBoxSize) const final

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes