Avoid uninitialized memory read.
authorzandobersek@gmail.com <zandobersek@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 23 Apr 2018 07:44:50 +0000 (07:44 +0000)
committerzandobersek@gmail.com <zandobersek@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 23 Apr 2018 07:44:50 +0000 (07:44 +0000)
https://bugs.webkit.org/show_bug.cgi?id=184505
<rdar://problem/39348325>

Patch by Ms2ger <Ms2ger@igalia.com> on 2018-04-23
Reviewed by Dean Jackson.

LayoutTests/imported/w3c:

* web-platform-tests/2dcontext/imagebitmap/createImageBitmap-bounds-expected.txt: Added.
* web-platform-tests/2dcontext/imagebitmap/createImageBitmap-bounds.html: Added.

Source/WebCore:

Test: imported/w3c/web-platform-tests/2dcontext/imagebitmap/createImageBitmap-bounds.html

* html/ImageBitmap.cpp:
(WebCore::croppedSourceRectangleWithFormatting):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230907 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/2dcontext/imagebitmap/createImageBitmap-bounds-expected.txt [new file with mode: 0644]
LayoutTests/imported/w3c/web-platform-tests/2dcontext/imagebitmap/createImageBitmap-bounds.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/ImageBitmap.cpp

index 1380e91..08bdc28 100644 (file)
@@ -1,3 +1,14 @@
+2018-04-23  Ms2ger  <Ms2ger@igalia.com>
+
+        Avoid uninitialized memory read.
+        https://bugs.webkit.org/show_bug.cgi?id=184505
+        <rdar://problem/39348325>
+
+        Reviewed by Dean Jackson.
+
+        * web-platform-tests/2dcontext/imagebitmap/createImageBitmap-bounds-expected.txt: Added.
+        * web-platform-tests/2dcontext/imagebitmap/createImageBitmap-bounds.html: Added.
+
 2018-04-20  Chris Dumez  <cdumez@apple.com>
 
         Unreviewed, rebaseline more tests after r230864.
diff --git a/LayoutTests/imported/w3c/web-platform-tests/2dcontext/imagebitmap/createImageBitmap-bounds-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/2dcontext/imagebitmap/createImageBitmap-bounds-expected.txt
new file mode 100644 (file)
index 0000000..9b0633e
--- /dev/null
@@ -0,0 +1,3 @@
+
+PASS createImageBitmap: clipping to the bitmap 
+
diff --git a/LayoutTests/imported/w3c/web-platform-tests/2dcontext/imagebitmap/createImageBitmap-bounds.html b/LayoutTests/imported/w3c/web-platform-tests/2dcontext/imagebitmap/createImageBitmap-bounds.html
new file mode 100644 (file)
index 0000000..544bd77
--- /dev/null
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html>
+<title>createImageBitmap: clipping to the bitmap</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/canvas-tests.js"></script>
+<script>
+promise_test(function(t) {
+    return new Promise(function(resolve, reject) {
+        const image = new Image();
+        image.onload = function() { resolve(image); };
+        image.onerror = function() { reject(); };
+        image.src = "/images/green-16x16.png";
+    }).then(function(image) {
+        return createImageBitmap(image, 8, 8, 16, 16);
+    }).then(function(imageBitmap) {
+        const color = 204;
+
+        const canvas = document.createElement("canvas");
+        canvas.width = 16;
+        canvas.height = 16;
+
+        // debug
+        document.body.appendChild(canvas);
+        canvas.setAttribute("style", "width: 100px; height: 100px;");
+
+        const ctx = canvas.getContext("2d");
+        ctx.fillStyle = `rgb(${color}, ${color}, ${color})`;
+        ctx.fillRect(0, 0, 20, 20);
+        ctx.drawImage(imageBitmap, 0, 0);
+
+        const expected = [
+            [ 4,  4, 0,255,0,255],
+            [12,  4, color,color,color,255],
+            [ 4, 12, color,color,color,255],
+            [12, 12, color,color,color,255],
+        ];
+        for (let [x, y, r, g, b, a] of expected) {
+            _assertPixel(canvas, x,y, r,g,b,a, `${x},${y}`, `${r},${g},${b},${a}`);
+        }
+
+    });
+});
+</script>
index 2798e84..aa370cd 100644 (file)
@@ -1,3 +1,16 @@
+2018-04-23  Ms2ger  <Ms2ger@igalia.com>
+
+        Avoid uninitialized memory read.
+        https://bugs.webkit.org/show_bug.cgi?id=184505
+        <rdar://problem/39348325>
+
+        Reviewed by Dean Jackson.
+
+        Test: imported/w3c/web-platform-tests/2dcontext/imagebitmap/createImageBitmap-bounds.html
+
+        * html/ImageBitmap.cpp:
+        (WebCore::croppedSourceRectangleWithFormatting):
+
 2018-04-23  Zan Dobersek  <zdobersek@igalia.com>
 
         [TexMap] Drop RefCounted inheritance off of TextureMapperBackingStore
index 587991a..1640b24 100644 (file)
@@ -162,9 +162,7 @@ static ExceptionOr<IntRect> croppedSourceRectangleWithFormatting(IntSize inputSi
     auto sourceRectangle = rect.value_or(IntRect { 0, 0, inputSize.width(), inputSize.height() });
 
     // 4. Clip sourceRectangle to the dimensions of input.
-
-    sourceRectangle.setWidth(std::min(sourceRectangle.width(), inputSize.width()));
-    sourceRectangle.setHeight(std::min(sourceRectangle.height(), inputSize.height()));
+    sourceRectangle.intersect(IntRect { 0, 0, inputSize.width(), inputSize.height() });
 
     return { WTFMove(sourceRectangle) };
 }