Merge r205197 - Use of uninitialised memory in TransformationMatrx::b…

…lend4() https://bugs.webkit.org/show_bug.cgi?id=134621 <rdar://problem/27337539> Reviewed by Dean Jackson. Change is based on the Blink change (patch by <[email protected]>): <https://src.chromium.org/viewvc/blink?revision=177453&view=revision> Source/WebCore: TransformationMatrix::blend() was attempting to blend between non-invertable matricies. This resulted in garbage stack variables being used. This patch ensures that blend() will fall back to a 50% step interpolation when one of the sides are not invertable. Tested by new TransformationMatrix test in TestWebKitAPI. * platform/graphics/transforms/TransformationMatrix.cpp: (WebCore::TransformationMatrix::blend2): Properly handle failure in the decompose method calls. (WebCore::TransformationMatrix::blend4): Ditto. Tools: * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj: * TestWebKitAPI/Tests/WebCore/TransformationMatrix.cpp: Added. (TestWebKitAPI::TEST): git-svn-id: http://svn.webkit.org/repository/webkit/releases/WebKitGTK/webkit-2.14@205591 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Igalia · Sep 8, 2016 · 788852e · 788852e
1 parent e5cf0b8
commit 788852e
Show file tree

Hide file tree

Showing 6 changed files with 106 additions and 5 deletions.
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,26 @@
+2016-08-30 Brent Fulgham <[email protected]>
+
+ Use of uninitialised memory in TransformationMatrx::blend4()
+ https://bugs.webkit.org/show_bug.cgi?id=134621
+ <rdar://problem/27337539>
+
+ Reviewed by Dean Jackson.
+
+ Change is based on the Blink change (patch by <[email protected]>):
+ <https://src.chromium.org/viewvc/blink?revision=177453&view=revision>
+
+ TransformationMatrix::blend() was attempting to blend between non-invertable
+ matricies. This resulted in garbage stack variables being used.
+ This patch ensures that blend() will fall back to a 50% step interpolation
+ when one of the sides are not invertable.
+
+ Tested by new TransformationMatrix test in TestWebKitAPI.
+
+ * platform/graphics/transforms/TransformationMatrix.cpp:
+ (WebCore::TransformationMatrix::blend2): Properly handle failure in the
+ decompose method calls.
+ (WebCore::TransformationMatrix::blend4): Ditto.
+
 2016-08-30 Alex Christensen <[email protected]>
 
  URLParser should handle relative URLs that start with //

diff --git a/Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp b/Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp
@@ -1501,8 +1501,11 @@ void TransformationMatrix::blend2(const TransformationMatrix& from, double progr
 {
  Decomposed2Type fromDecomp;
  Decomposed2Type toDecomp;
- from.decompose2(fromDecomp);
- decompose2(toDecomp);
+ if (!from.decompose2(fromDecomp) || !decompose2(toDecomp)) {
+ if (progress < 0.5)
+ *this = from;
+ return;
+ }
 
  // If x-axis of one is flipped, and y-axis of the other, convert to an unflipped rotation.
  if ((fromDecomp.scaleX < 0 && toDecomp.scaleY < 0) || (fromDecomp.scaleY < 0 && toDecomp.scaleX < 0)) {
@@ -1541,8 +1544,11 @@ void TransformationMatrix::blend4(const TransformationMatrix& from, double progr
 {
  Decomposed4Type fromDecomp;
  Decomposed4Type toDecomp;
- from.decompose4(fromDecomp);
- decompose4(toDecomp);
+ if (!from.decompose4(fromDecomp) || !decompose4(toDecomp)) {
+ if (progress < 0.5)
+ *this = from;
+ return;
+ }
 
  blendFloat(fromDecomp.scaleX, toDecomp.scaleX, progress);
  blendFloat(fromDecomp.scaleY, toDecomp.scaleY, progress);

diff --git a/Source/WebCore/platform/graphics/transforms/TransformationMatrix.h b/Source/WebCore/platform/graphics/transforms/TransformationMatrix.h
@@ -294,7 +294,7 @@ class TransformationMatrix {
  bool decompose4(Decomposed4Type&) const;
  void recompose4(const Decomposed4Type&);
 
- void blend(const TransformationMatrix& from, double progress);
+ WEBCORE_EXPORT void blend(const TransformationMatrix& from, double progress);
  void blend2(const TransformationMatrix& from, double progress);
  void blend4(const TransformationMatrix& from, double progress);
 

diff --git a/Tools/ChangeLog b/Tools/ChangeLog
@@ -1,3 +1,18 @@
+2016-08-30 Brent Fulgham <[email protected]>
+
+ Use of uninitialised memory in TransformationMatrx::blend4()
+ https://bugs.webkit.org/show_bug.cgi?id=134621
+ <rdar://problem/27337539>
+
+ Reviewed by Dean Jackson.
+
+ Change is based on the Blink change (patch by <[email protected]>):
+ <https://src.chromium.org/viewvc/blink?revision=177453&view=revision>
+
+ * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+ * TestWebKitAPI/Tests/WebCore/TransformationMatrix.cpp: Added.
+ (TestWebKitAPI::TEST):
+
 2016-08-30 Alex Christensen <[email protected]>
 
  URLParser should handle relative URLs that start with //

diff --git a/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj b/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
@@ -138,6 +138,7 @@
  76E182DD1547569100F1FADD /* WillSendSubmitEvent_Bundle.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 76E182DC1547569100F1FADD /* WillSendSubmitEvent_Bundle.cpp */; };
  76E182DF154767E600F1FADD /* auto-submitting-form.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 76E182DE15475A8300F1FADD /* auto-submitting-form.html */; };
  7A1458FC1AD5C07000E06772 /* mouse-button-listener.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 7A1458FB1AD5C03500E06772 /* mouse-button-listener.html */; };
+ 7AD3FE8E1D76131200B169A4 /* TransformationMatrix.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 7AD3FE8D1D75FB8D00B169A4 /* TransformationMatrix.cpp */; };
  7AE9E5091AE5AE8B00CF874B /* test.pdf in Copy Resources */ = {isa = PBXBuildFile; fileRef = 7AE9E5081AE5AE8B00CF874B /* test.pdf */; };
  7C3965061CDD74F90094DBB8 /* Color.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 7C3965051CDD74F90094DBB8 /* Color.cpp */; };
  7C3DB8E41D12129B00AE8CC3 /* CommandBackForward.mm in Sources */ = {isa = PBXBuildFile; fileRef = 7C3DB8E21D12129B00AE8CC3 /* CommandBackForward.mm */; };
@@ -868,6 +869,7 @@
  7A99D9931AD4A29D00373141 /* MenuTypesForMouseEvents.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = MenuTypesForMouseEvents.mm; sourceTree = "<group>"; };
  7AA021BA1AB09EA70052953F /* DateMath.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DateMath.cpp; sourceTree = "<group>"; };
  7AA6A1511AAC0B31002B2ED3 /* WorkQueue.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WorkQueue.cpp; sourceTree = "<group>"; };
+ 7AD3FE8D1D75FB8D00B169A4 /* TransformationMatrix.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TransformationMatrix.cpp; sourceTree = "<group>"; };
  7AE9E5081AE5AE8B00CF874B /* test.pdf */ = {isa = PBXFileReference; lastKnownFileType = image.pdf; path = test.pdf; sourceTree = "<group>"; };
  7C3965051CDD74F90094DBB8 /* Color.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Color.cpp; sourceTree = "<group>"; };
  7C3DB8E21D12129B00AE8CC3 /* CommandBackForward.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = CommandBackForward.mm; sourceTree = "<group>"; };
@@ -1342,6 +1344,7 @@
  CD225C071C45A69200140761 /* ParsedContentRange.cpp */,
  41973B5C1AF22875006C7B36 /* SharedBuffer.cpp */,
  CDC2C7141797089D00E627FB /* TimeRanges.cpp */,
+ 7AD3FE8D1D75FB8D00B169A4 /* TransformationMatrix.cpp */,
  440A1D3814A0103A008A66F2 /* URL.cpp */,
  5C6E65411D5CEF8500F7862E /* URLParser.cpp */,
  );
@@ -2388,6 +2391,7 @@
  buildActionMask = 2147483647;
  files = (
  2E7765CD16C4D80A00BA2BB1 /* mainIOS.mm in Sources */,
+ 7AD3FE8E1D76131200B169A4 /* TransformationMatrix.cpp in Sources */,
  2E7765CF16C4D81100BA2BB1 /* mainMac.mm in Sources */,
  );
  runOnlyForDeploymentPostprocessing = 0;

diff --git a/Tools/TestWebKitAPI/Tests/WebCore/TransformationMatrix.cpp b/Tools/TestWebKitAPI/Tests/WebCore/TransformationMatrix.cpp
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2013, Google Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include <WebCore/TransformationMatrix.h>
+
+using namespace WebCore;
+
+namespace TestWebKitAPI {
+
+TEST(TransformationMatrix, NonInvertableBlend)
+{
+ TransformationMatrix from;
+ TransformationMatrix to(2.7133590938, 0.0, 0.0, 0.0, 0.0, 2.4645137761, 0.0, 0.0, 0.0, 0.0, 0.00, 0.01, 0.02, 0.03, 0.04, 0.05);
+ TransformationMatrix result;
+
+ result = to;
+ result.blend(from, 0.25);
+ EXPECT_TRUE(result == from);
+
+ result = to;
+ result.blend(from, 0.75);
+ EXPECT_TRUE(result == to);
+}
+
+}