Title: [295260] trunk/Source/WebCore/platform/graphics/filters/FilterImage.cpp
- Revision
- 295260
- Author
- nmouchta...@apple.com
- Date
- 2022-06-04 01:30:21 -0700 (Sat, 04 Jun 2022)
Log Message
Add checks for overflow in FilterImage::copyImageBytes
https://bugs.webkit.org/show_bug.cgi?id=241296
<rdar://89744102>
Reviewed by Said Abou-Hallawa.
Add overflow checks to copyImageBytes functions in FilterImage class.
* Source/WebCore/platform/graphics/filters/FilterImage.cpp:
(WebCore::copyImageBytes):
Canonical link: https://commits.webkit.org/251306@main
Modified Paths
Diff
Modified: trunk/Source/WebCore/platform/graphics/filters/FilterImage.cpp (295259 => 295260)
--- trunk/Source/WebCore/platform/graphics/filters/FilterImage.cpp 2022-06-04 02:17:32 UTC (rev 295259)
+++ trunk/Source/WebCore/platform/graphics/filters/FilterImage.cpp 2022-06-04 08:30:21 UTC (rev 295260)
@@ -120,7 +120,9 @@
ASSERT(sourcePixelBuffer.size() == destinationPixelBuffer.size());
auto destinationSize = destinationPixelBuffer.size();
- unsigned rowBytes = destinationSize.width() * 4;
+ auto rowBytes = CheckedUint32(destinationSize.width()) * 4;
+ if (UNLIKELY(rowBytes.hasOverflowed()))
+ return;
ConstPixelBufferConversionView source { sourcePixelBuffer.format(), rowBytes, sourcePixelBuffer.bytes() };
PixelBufferConversionView destination { destinationPixelBuffer.format(), rowBytes, destinationPixelBuffer.bytes() };
@@ -153,12 +155,18 @@
if (destinationRect.isEmpty())
return;
- int size = sourceRectClipped.width() * 4;
- int destinationBytesPerRow = destinationPixelBufferRect.width() * 4;
- int sourceBytesPerRow = sourcePixelBufferRect.width() * 4;
- uint8_t* destinationPixel = destinationPixelBuffer.bytes() + destinationRect.y() * destinationBytesPerRow + destinationRect.x() * 4;
- const uint8_t* sourcePixel = sourcePixelBuffer.bytes() + sourceRectClipped.y() * sourceBytesPerRow + sourceRectClipped.x() * 4;
+ auto size = CheckedUint32(sourceRectClipped.width()) * 4;
+ auto destinationBytesPerRow = CheckedUint32(destinationPixelBufferRect.width()) * 4;
+ auto sourceBytesPerRow = CheckedUint32(sourcePixelBufferRect.width()) * 4;
+ auto destinationOffset = destinationRect.y() * destinationBytesPerRow + CheckedUint32(destinationRect.x()) * 4;
+ auto sourceOffset = sourceRectClipped.y() * sourceBytesPerRow + CheckedUint32(sourceRectClipped.x()) * 4;
+ if (UNLIKELY(size.hasOverflowed() || destinationBytesPerRow.hasOverflowed() || sourceBytesPerRow.hasOverflowed() || destinationOffset.hasOverflowed() || sourceOffset.hasOverflowed()))
+ return;
+
+ uint8_t* destinationPixel = destinationPixelBuffer.bytes() + destinationOffset.value();
+ const uint8_t* sourcePixel = sourcePixelBuffer.bytes() + sourceOffset.value();
+
for (int y = 0; y < sourceRectClipped.height(); ++y) {
memcpy(destinationPixel, sourcePixel, size);
destinationPixel += destinationBytesPerRow;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes