Closed Bug 944412 Opened 12 years ago Closed 12 years ago

Stride error in SourceSurfaceSkia::InitFromData

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox28 --- fixed

People

(Reporter: kevin, Assigned: kevin)

Details

(Whiteboard: [qa-])

Attachments

(1 file, 3 obsolete files)

Fix an issue with the stride in SourceSurfaceSkia::InitFromData. r=gal
1.45 KB, patch
gal
: review+
Details | Diff | Splinter Review
In SourceSurfaceSkia::InitFromData the data is first copied into a temporary bitmap and then into the bitmap for the surface. However, an assumption is made that the target bitmap ends up with the same stride as the source bitmap. This isn't a valid assumption.
After calling SkBitmap::copyTo, the InitFromData method assumed that the stride of the destination SkBitmap was now the same as the stride of the source bitmap. This was, however, not the case. Now the stride is read back out of the destination bitmap. This was causing a crash due to memory corruption for FORMAT_B8G8R8X8 surfaces.
I also attempted to fix this by calling setConfig on the target bitmap and thus respect the stride that was passed in, but that didn't work (the stride was not set properly). I've verified that before this patch reftest layout/reftests/backgrounds/background-size-cover-continuous.html doesn't work (and often crashes) and that afterwards the results match that of the cairo backend.
Attachment #8339959 - Flags: review?(matt.woodrow)
Comment on attachment 8339959 [details] [diff] [review] Fix an issue with the stride in SourceSurfaceSkia::InitFromData Review of attachment 8339959 [details] [diff] [review]: ----------------------------------------------------------------- Drive by... ::: gfx/2d/SourceSurfaceSkia.cpp @@ +78,4 @@ > if (aFormat == FORMAT_B8G8R8X8) { > mBitmap.lockPixels(); > // We have to manually set the A channel to be 255 as Skia doesn't understand BGRX > ConvertBGRXToBGRA(reinterpret_cast<unsigned char*>(mBitmap.getPixels()), aSize, aStride); The intent is to call ConvertBGRXToBGRA with mBitmap.getPixels(), IntSize(mBitmap.width(),mBitmap.height()), mBitmap.rowBytes() as parameters, right? No big deal, but I think I'd get the intent clearer with just using mBitmap.rowBytes() in the call, rather than setting aStride to the value. aStride was the stride for the incoming aData, seems it may as well stay that, just not get reused.
After calling SkBitmap::copyTo, the InitFromData method assumed that the stride of the destination SkBitmap was now the same as the stride of the source bitmap. This was, however, not the case. Now the stride is read back out of the destination bitmap. This was causing a crash due to memory corruption for FORMAT_B8G8R8X8 surfaces.
Attachment #8339959 - Attachment is obsolete: true
Attachment #8339959 - Flags: review?(matt.woodrow)
Attachment #8339991 - Flags: review?(matt.woodrow)
(In reply to Milan Sreckovic [:milan] from comment #3) > No big deal, but I think I'd get the intent clearer with just using > mBitmap.rowBytes() in the call, rather than setting aStride to the value. > aStride was the stride for the incoming aData, seems it may as well stay > that, just not get reused. Yeah, you're right, that was pure laziness. Fixed now. Note, the intention was also that mStride be set correctly. On that point, is there any reason that the SourceSurfaceSkia class even needs those mSize and mStride instance variables? Can't that all get delegated to the mBitmap?
Comment on attachment 8339991 [details] [diff] [review] Fix an issue with the stride in SourceSurfaceSkia::InitFromData This looks trivial enough for me to r+. I do think it would make sense to not have local copies of mStride and mSize, fwiw.
Attachment #8339991 - Flags: review?(matt.woodrow) → review+
After calling SkBitmap::copyTo, the InitFromData method assumed that the stride of the destination SkBitmap was now the same as the stride of the source bitmap. This was, however, not the case. Now the stride is read back out of the destination bitmap. This was causing a crash due to memory corruption for FORMAT_B8G8R8X8 surfaces.
Attachment #8340057 - Flags: review?(gal)
Attachment #8339991 - Attachment is obsolete: true
Is this another case of just marking checkin-needed rather than running through try since it's not hitting any live code?
Yeah. If you just update a patch you don't have to request for review again. The previous review is fine. For questions about a patch you can do feedback?.
Keywords: checkin-needed
Attachment #8340057 - Flags: review?(gal) → review+
(In reply to Andreas Gal :gal from comment #9) > Yeah. If you just update a patch you don't have to request for review again. > The previous review is fine. Ah ok. I wasn't sure if there it was somehow automated that only patches where the attachment is r+ could be landed.
After calling SkBitmap::copyTo, the InitFromData method assumed that the stride of the destination SkBitmap was now the same as the stride of the source bitmap. This was, however, not the case. Now the stride is read back out of the destination bitmap. This was causing a crash due to memory corruption for FORMAT_B8G8R8X8 surfaces.
Attachment #8341155 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/f6d8a9a56abb
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
status-firefox28: --- → fixed
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: