[13] SVG RenderSVGShape Null Dereference in isPointInStroke

Severity: Low | Component: WebCore SVG rendering | 389fcd9

관찰 가능한 영향이 항상 동일한 null dereference(renderer crash)에 그치며, 메모리 corruption에 대한 commit 수준의 근거가 없습니다. 현대 플랫폼의 null-page 보호로 인해 denial of service 이상으로의 escalation이 불가능하므로 Low로 분류합니다.

Patch Details

RenderSVGShape::shapeDependentStrokeContains와 LegacyRenderSVGShape::shapeDependentStrokeContains 모두에서, LocalCoordinateSpace fallback 경로의 무조건적인 m_path-> 역참조를 ensurePath().strokeContains(...)로 변경했습니다. ensurePath()는 path가 null인 경우 이를 지연 생성합니다.

Source/WebCore/rendering/svg/RenderSVGShape.cpp

 bool RenderSVGShape::shapeDependentStrokeContains(const FloatPoint& point, PointCoordinateSpace pointCoordinateSpace)
 {
-    ASSERT(m_path);
-
     if (hasNonScalingStroke() && pointCoordinateSpace != LocalCoordinateSpace) {
+        ASSERT(m_path);
         AffineTransform nonScalingTransform = nonScalingStrokeTransform();
         Path* usePath = nonScalingStrokePath(m_path.get(), nonScalingTransform);
         return usePath->strokeContains(nonScalingTransform.mapPoint(point), [this] (GraphicsContext& context) {
@@ ...
     }
 
-    return m_path->strokeContains(point, [this] (GraphicsContext& context) {
+    return ensurePath().strokeContains(point, [this] (GraphicsContext& context) {
         SVGRenderSupport::applyStrokeStyleToContext(context, style(), *this);
     });
 }

LayoutTests/svg/dom/SVGGeometry-isPointInStroke-with-null-path.html

+<svg style="stroke: black; display: table-caption">
+  <polygon id="polygon"></polygon>
+</svg>
+<script>
+  document.getElementById("polygon").isPointInStroke();
+</script>

JS에서 호출 가능한 SVG hit-testing API에서, 지연 초기화되는 path 객체의 역참조 전 null 검사가 누락된 패턴.

Background

<path>, <polygon>, <circle> 등 SVG geometry element는 SVGGeometryElement 인터페이스를 통해 isPointInStroke() 메서드를 제공합니다. 이 메서드는 element의 stroke 외곽선을 대상으로 hit-testing을 수행합니다.

WebKit 내부적으로는 m_path 멤버(std::unique_ptr<Path>)를 통해 element의 기하학적 형태를 표현합니다. 이 멤버는 layout 시점에 지연 초기화됩니다. ensurePath()는 path가 아직 존재하지 않을 경우 즉시 생성하는 accessor입니다.

Analysis

path가 아직 계산되지 않은 SVG geometry element에서 JavaScript를 통해 isPointInStroke()를 호출하면, m_path가 null 상태입니다. 좌표가 없는 빈 <polygon>이 이에 해당합니다.

이 호출은 LocalCoordinateSpace를 인자로 shapeDependentStrokeContains에 도달합니다. non-scaling-stroke 분기를 우회한 뒤, null 상태의 m_path 포인터를 그대로 역참조합니다.

Aaaaaaaaa Aaa Aaa Aa Aaaaaa Aa Aaaaaa Aaaaa Aaaaaaaaa Aaaa Aaaaa Aaaaaaaaaaaa Aaaaaaa Aaaaa Aa Aaaa Aaaaaaaa Aaaaaaaaaaaa Aa Aaaaaaaaa Aaaa Aa Aaaaa

a Aaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaa Aaaa Aaaaaa Aaaaaaaaaaaaaaaaaaa Aaaa Aaa a Aaaaa Aaa Aaaaaaaa Aaaaaaaa Aa Aaaaaaaaaaa Aa Aa Aaaaaa

a Aaaaaa Aaaaaa Aaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaa Aaaa Aaaaaaaaaaa Aaa Aa Aaa Aaa Aaaaaaaaa Aaa Aaaa Aaaa Aaaa Aaa Aaaaaa Aaaaaa Aaaa Aaaa Aa Aaaaaaa Aa Aaaa Aaaaaaaaaaaaaaaaa Aaa Aaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaa Aaa Aaa Aaaaaaa Aa a Aaaa Aaaaa Aaa Aa Aaaaa Aaa Aaa Aaa Aa Aaa Aaaaa Aa Aaaaaaa

🔒

Explores the reachability and exploitation potential of this crash beyond simple denial of service

더 확인하려면 구독해 주세요

Audit directions

a Aaaa Aaaa Aaaaaa Aaa Aa Aaa Aaa Aaaa Aaaaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaa Aa Aaaa a Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaa Aa Aaaaaa a Aaaa Aaaaaa a Aaaaa Aaaaaaaaaaaaaaa Aaaaa Aaaa Aaaa a Aaaa Aaaaaaaaaaa Aaaa Aaa a Aaaaa
a Aaaaaaaa Aaa Aaaaaaaaa Aaa Aaaa Aa Aa Aa Aaa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaa Aa Aaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaa a Aaaaaaaaaaaaaaaaaaaaa Aa Aaaaa Aaa Aaaaaaaaa Aaa Aaa Aaaa Aaaa
a Aaaaa Aa Aaaa Aaa a Aa Aaa Aaaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaa Aaa Aaa Aaa Aaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaa Aaaa Aaa Aaa Aaaaaaaa

🔒

Multiple variant discovery patterns identified across SVG rendering APIs and parallel code paths

더 확인하려면 구독해 주세요