Index: Source/WebCore/platform/graphics/filters/FilterEffect.cpp |
=================================================================== |
--- Source/WebCore/platform/graphics/filters/FilterEffect.cpp (revision 85995) |
+++ Source/WebCore/platform/graphics/filters/FilterEffect.cpp (working copy) |
@@ -46,6 +46,14 @@ |
{ |
} |
+inline bool isFilterSizeValid(IntRect rect) |
+{ |
+ if (rect.width() < 0 || rect.width() > kMaxFilterSize |
+ || rect.height() < 0 || rect.height() > kMaxFilterSize) |
+ return false; |
+ return true; |
+} |
+ |
void FilterEffect::determineAbsolutePaintRect() |
{ |
m_absolutePaintRect = IntRect(); |
@@ -54,7 +62,7 @@ |
m_absolutePaintRect.unite(m_inputEffects.at(i)->absolutePaintRect()); |
// SVG specification wants us to clip to primitive subregion. |
- m_absolutePaintRect.intersect(m_maxEffectRect); |
+ m_absolutePaintRect.intersect(enclosingIntRect(m_maxEffectRect)); |
} |
IntRect FilterEffect::requestedRegionOfInputImageData(const IntRect& effectRect) const |
@@ -104,6 +112,7 @@ |
PassRefPtr<ByteArray> FilterEffect::asUnmultipliedImage(const IntRect& rect) |
{ |
+ ASSERT(isFilterSizeValid(rect)); |
RefPtr<ByteArray> imageData = ByteArray::create(rect.width() * rect.height() * 4); |
copyUnmultipliedImage(imageData.get(), rect); |
return imageData.release(); |
@@ -111,6 +120,7 @@ |
PassRefPtr<ByteArray> FilterEffect::asPremultipliedImage(const IntRect& rect) |
{ |
+ ASSERT(isFilterSizeValid(rect)); |
RefPtr<ByteArray> imageData = ByteArray::create(rect.width() * rect.height() * 4); |
copyPremultipliedImage(imageData.get(), rect); |
return imageData.release(); |
@@ -169,6 +179,7 @@ |
if (m_imageBufferResult) |
m_unmultipliedImageResult = m_imageBufferResult->getUnmultipliedImageData(IntRect(IntPoint(), m_absolutePaintRect.size())); |
else { |
+ ASSERT(isFilterSizeValid(m_absolutePaintRect)); |
m_unmultipliedImageResult = ByteArray::create(m_absolutePaintRect.width() * m_absolutePaintRect.height() * 4); |
unsigned char* sourceComponent = m_premultipliedImageResult->data(); |
unsigned char* destinationComponent = m_unmultipliedImageResult->data(); |
@@ -202,6 +213,7 @@ |
if (m_imageBufferResult) |
m_premultipliedImageResult = m_imageBufferResult->getPremultipliedImageData(IntRect(IntPoint(), m_absolutePaintRect.size())); |
else { |
+ ASSERT(isFilterSizeValid(m_absolutePaintRect)); |
m_premultipliedImageResult = ByteArray::create(m_absolutePaintRect.width() * m_absolutePaintRect.height() * 4); |
unsigned char* sourceComponent = m_unmultipliedImageResult->data(); |
unsigned char* destinationComponent = m_premultipliedImageResult->data(); |
@@ -238,6 +250,8 @@ |
{ |
// Only one result type is allowed. |
ASSERT(!hasResult()); |
+ ASSERT(isFilterSizeValid(m_absolutePaintRect)); |
+ |
determineAbsolutePaintRect(); |
if (m_absolutePaintRect.isEmpty()) |
return 0; |
@@ -249,6 +263,8 @@ |
{ |
// Only one result type is allowed. |
ASSERT(!hasResult()); |
+ ASSERT(isFilterSizeValid(m_absolutePaintRect)); |
+ |
determineAbsolutePaintRect(); |
if (m_absolutePaintRect.isEmpty()) |
return 0; |