Closed Bug 1263685 Opened 4 years ago Closed 4 years ago

Null deference in SkShader::newWithLocalMatrix

Categories

(Core :: Graphics, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox47 --- fixed
firefox48 --- fixed

People

(Reporter: lsalzman, Assigned: lsalzman)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Crash reports:
https://crash-stats.mozilla.com/report/index/70f2bec6-90cf-448a-810b-5bd972160409
https://crash-stats.mozilla.com/report/index/31e5ff4f-9991-471a-a528-58a832160409

It looks like DrawTargetSkia::MaskSurface is accessing an SkPaint's shader without verifying it actually has a shader.
This just adds a check inside DrawTargetSkia::MaskSurface to verify a shader actually exists on the paint. If the source pattern for MaskSurface is something like a solid color, it may not have a shader, so offsetting the matrix would make no sense. The check thus avoids crashes in those cases.
Attachment #8740084 - Flags: review?(mchang)
Crash Signature: [@ SkShader::newWithLocalMatrix const ]
Attachment #8740084 - Flags: review?(mchang) → review+
https://hg.mozilla.org/mozilla-central/rev/f1c35c33abff
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Comment on attachment 8740084 [details] [diff] [review]
Check if paint has a shader before modifying local matrix in DrawTargetSkia::MaskSurface.

Approval Request Comment
[Feature/regressing bug #]: Introduced with Skia update in 47.
[User impact if declined]: Crashes in some masking situations (i.e. SVG)
[Describe test coverage new/current, TreeHerder]: mochitests, reftests
[Risks and why]: Low risk, just prevents a null dereference that was previously being avoided in 46 in more or less the same way.
[String/UUID change made/needed]: None
Attachment #8740084 - Flags: approval-mozilla-aurora?
Comment on attachment 8740084 [details] [diff] [review]
Check if paint has a shader before modifying local matrix in DrawTargetSkia::MaskSurface.

Crash fix, not-null check, Aurora47+
Attachment #8740084 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.