commit 5bec6fe272396b07db853f0672fe4b0348e465f7
author said@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Apr 08 20:07:51 2016 +0000
committer said@apple.com <said@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Apr 08 20:07:51 2016 +0000
tree 322164382ef832a1c41af45267857362f9e0ccf0
parent 371eaff54d7342c4ca333f22e251b4e8e4b3ed5d

Timing attack on SVG feComposite filter circumvents same-origin policy
https://bugs.webkit.org/show_bug.cgi?id=154338

Patch by Said Abou-Hallawa <sabouhallawa@apple,com> on 2016-04-08
Reviewed by Oliver Hunt.

Ensure the FEComposite arithmetic filter is clamping the resulted color
components in a constant time.

* platform/graphics/filters/FEComposite.cpp:
(WebCore::clampByte):
(WebCore::computeArithmeticPixels):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@199243 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 7c71517..7c3e008 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2016-04-08  Said Abou-Hallawa  <sabouhallawa@apple,com>
+
+        Timing attack on SVG feComposite filter circumvents same-origin policy
+        https://bugs.webkit.org/show_bug.cgi?id=154338
+
+        Reviewed by Oliver Hunt.
+
+        Ensure the FEComposite arithmetic filter is clamping the resulted color
+        components in a constant time.
+
+        * platform/graphics/filters/FEComposite.cpp:
+        (WebCore::clampByte):
+        (WebCore::computeArithmeticPixels):
+
 2016-04-08  Brian Burg  <bburg@apple.com>
 
         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses

Source/WebCore/platform/graphics/filters/FEComposite.cpp

diff --git a/Source/WebCore/platform/graphics/filters/FEComposite.cpp b/Source/WebCore/platform/graphics/filters/FEComposite.cpp
index bab97e9..94d1628 100644
--- a/Source/WebCore/platform/graphics/filters/FEComposite.cpp
+++ b/Source/WebCore/platform/graphics/filters/FEComposite.cpp
@@ -120,6 +120,13 @@
 
     forceValidPreMultipliedPixels();
 }
+    
+static unsigned char clampByte(int c)
+{
+    unsigned char buff[] = { static_cast<unsigned char>(c), 255, 0 };
+    unsigned uc = static_cast<unsigned>(c);
+    return buff[!!(uc & ~0xff) + !!(uc & ~(~0u >> 1))];
+}
 
 template <int b1, int b4>
 static inline void computeArithmeticPixels(unsigned char* source, unsigned char* destination, int pixelArrayLength,
@@ -141,12 +148,7 @@
         if (b4)
             result += scaledK4;
 
-        if (result <= 0)
-            *destination = 0;
-        else if (result >= 255)
-            *destination = 255;
-        else
-            *destination = result;
+        *destination = clampByte(result);
         ++source;
         ++destination;
     }