commit 5baeeceb312bb875ba930e96b381e12d27ae8ff3
parent 2b3e0cef38ee434fa0b926a0790a125c115af852
Author: Timothy Nikkel <tnikkel@gmail.com>
Date: Mon, 24 Nov 2025 01:20:44 +0000
Bug 1999841. Check for failure getting data from DataSourceSurface in GetSkImageForSurface. r=lsalzman
The surface is a SourceSurfaceWebgl. When we call SourceSurfaceWebgl::EnsureData the only thing present in the surface is a mDT weak pointer. The pointer is evidently gone as when we try to use it in the pernosco we are not able to. So the data and stride are 0.
Differential Revision: https://phabricator.services.mozilla.com/D273387
Diffstat:
3 files changed, 43 insertions(+), 0 deletions(-)
diff --git a/gfx/2d/DrawTargetSkia.cpp b/gfx/2d/DrawTargetSkia.cpp
@@ -279,6 +279,11 @@ static sk_sp<SkImage> GetSkImageForSurface(SourceSurface* aSurface,
releaseProc = ReleaseTemporarySurface;
}
+ if (!map.mData || map.mStride <= 0) {
+ gfxWarning() << "Failed mapping DataSourceSurface for Skia image";
+ return nullptr;
+ }
+
DataSourceSurface* surf = dataSurface.forget().take();
// Skia doesn't support RGBX surfaces so ensure that the alpha value is opaque
diff --git a/gfx/tests/crashtests/1999841-1.html b/gfx/tests/crashtests/1999841-1.html
@@ -0,0 +1,37 @@
+<canvas id='cid1' height='800' width='800'></canvas>
+<canvas id='cid2' height='800' width='471'></canvas>
+<script>
+function fuzz_1(){
+ const cnv=document.getElementById('cid1');
+ let ctx3=cnv.getContext('2d');
+ try { ctx3.shadowColor = '#3b4'; } catch (e) {}
+ try { ctx3.shadowBlur = 4222.398; } catch (e) {}
+ try { ctx3.fillText('̚', 137, Number.MIN_VALUE, 61.16); } catch (e) {}
+}
+function fuzz_2(){
+ const cnv2=document.getElementById('cid2');
+ let ctx3=cnv2.getContext('2d',{alpha: false});
+ let ctx4=cnv2.getContext('2d');
+ try{ var imd6=ctx4.createImageData(195,154); }catch(e){}
+ try{ var pth7=new Path2D(); }catch(e){}
+ try{ var prn9=ctx4.createPattern(cnv2,'repeat'); }catch(e){}
+ try{ pth7.bezierCurveTo(184,246,40,292764982115,218,66); }catch(e){}
+ try { ctx3.quadraticCurveTo(cnv2.height, 233, 1, 1); } catch (e) {}
+ try { ctx4.stroke(); } catch (e) {}
+ try { ctx4.putImageData(imd6, 280, 82); } catch (e) {}
+ try { cnv2.setAttribute('height', 800); } catch (e) {}
+ try { ctx3.strokeStyle = prn9; } catch (e) {}
+ try { ctx4.stroke(pth7); } catch (e) {}
+}
+
+let loads = Number(sessionStorage.getItem('loads')) + 1
+if (loads === 1) {
+ document.addEventListener("DOMContentLoaded", fuzz_1);
+ window.requestIdleCallback(() => { window.location.reload(true) })
+}
+else {
+ document.addEventListener("DOMContentLoaded", fuzz_2);
+ window.requestIdleCallback(window.close)
+}
+sessionStorage.setItem('loads', loads)
+</script>
diff --git a/gfx/tests/crashtests/crashtests.list b/gfx/tests/crashtests/crashtests.list
@@ -228,3 +228,4 @@ load 1843622.html
load 1898569.html
load 1938548.html
load 1983053.html
+load 1999841-1.html
