Source/core/html/ImageData.cpp - Issue 1328343002: Do not crash when out of memory at ImageData::create().

Side by Side Diff: Source/core/html/ImageData.cpp

Issue 1328343002: Do not crash when out of memory at ImageData::create(). (Closed) Base URL: svn://svn.chromium.org/blink/trunk

Patch Set: Created 5 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2008 Apple Inc. All rights reserved.	2 * Copyright (C) 2008 Apple Inc. All rights reserved.

3 *	3 *

4 * Redistribution and use in source and binary forms, with or without	4 * Redistribution and use in source and binary forms, with or without

5 * modification, are permitted provided that the following conditions	5 * modification, are permitted provided that the following conditions

6 * are met:	6 * are met:

7 *	7 *

8 * 1. Redistributions of source code must retain the above copyright	8 * 1. Redistributions of source code must retain the above copyright

9 * notice, this list of conditions and the following disclaimer.	9 * notice, this list of conditions and the following disclaimer.

10 * 2. Redistributions in binary form must reproduce the above copyright	10 * 2. Redistributions in binary form must reproduce the above copyright

(...skipping 23 matching lines...) Expand all Loading...
34 #include "core/dom/ExceptionCode.h"	34 #include "core/dom/ExceptionCode.h"

35 #include "platform/RuntimeEnabledFeatures.h"	35 #include "platform/RuntimeEnabledFeatures.h"

36	36

37 namespace blink {	37 namespace blink {

38	38

39 ImageData* ImageData::create(const IntSize& size)	39 ImageData* ImageData::create(const IntSize& size)

40 {	40 {

41 Checked<int, RecordOverflow> dataSize = 4;	41 Checked<int, RecordOverflow> dataSize = 4;

42 dataSize *= size.width();	42 dataSize *= size.width();

43 dataSize *= size.height();	43 dataSize *= size.height();

44 if (dataSize.hasOverflowed())	44 if (dataSize.hasOverflowed() \|\| dataSize.unsafeGet() < 0)

45 return nullptr;	45 return nullptr;

46	46

47 return new ImageData(size);	47 RefPtr<DOMUint8ClampedArray> byteArray =

	48 DOMUint8ClampedArray::createOrNull(dataSize.unsafeGet());

	49 if (!byteArray)

	50 return nullptr;

	51

	52 return new ImageData(size, byteArray.release());

48 }	53 }

49	54

50 ImageData* ImageData::create(const IntSize& size, PassRefPtr<DOMUint8ClampedArra y> byteArray)	55 ImageData* ImageData::create(const IntSize& size, PassRefPtr<DOMUint8ClampedArra y> byteArray)

51 {	56 {

52 Checked<int, RecordOverflow> dataSize = 4;	57 Checked<int, RecordOverflow> dataSize = 4;

53 dataSize *= size.width();	58 dataSize *= size.width();

54 dataSize *= size.height();	59 dataSize *= size.height();

55 if (dataSize.hasOverflowed())	60 if (dataSize.hasOverflowed())

56 return nullptr;	61 return nullptr;

57	62

58 if (dataSize.unsafeGet() < 0	63 if (dataSize.unsafeGet() < 0

59 \|\| static_cast<unsigned>(dataSize.unsafeGet()) > byteArray->length())	64 \|\| static_cast<unsigned>(dataSize.unsafeGet()) > byteArray->length())

60 return nullptr;	65 return nullptr;

61	66

62 return new ImageData(size, byteArray);	67 return new ImageData(size, byteArray);

63 }	68 }

64	69

65 ImageData* ImageData::create(unsigned width, unsigned height, ExceptionState& ex ceptionState)	70 ImageData* ImageData::create(unsigned width, unsigned height, ExceptionState& ex ceptionState)

66 {	71 {

67 if (!width \|\| !height) {	72 if (!width \|\| !height) {

68 exceptionState.throwDOMException(IndexSizeError, String::format("The sou rce %s is zero or not a number.", width ? "height" : "width"));	73 exceptionState.throwDOMException(IndexSizeError, String::format("The sou rce %s is zero or not a number.", width ? "height" : "width"));

69 return nullptr;	74 return nullptr;

70 }	75 }

71	76

72 Checked<unsigned, RecordOverflow> dataSize = 4;	77 Checked<unsigned, RecordOverflow> dataSize = 4;

73 dataSize *= width;	78 dataSize *= width;

74 dataSize *= height;	79 dataSize *= height;

75 if (dataSize.hasOverflowed()) {	80 if (dataSize.hasOverflowed()

	81 \|\| static_cast<int>(width) < 0

	82 \|\| static_cast<int>(height) < 0) {

76 exceptionState.throwDOMException(IndexSizeError, "The requested image si ze exceeds the supported range.");	83 exceptionState.throwDOMException(IndexSizeError, "The requested image si ze exceeds the supported range.");

77 return nullptr;	84 return nullptr;

78 }	85 }

79	86

80 return new ImageData(IntSize(width, height));	87 RefPtr<DOMUint8ClampedArray> byteArray =

	88 DOMUint8ClampedArray::createOrNull(dataSize.unsafeGet());

	89 if (!byteArray) {

	90 exceptionState.throwDOMException(V8GeneralError, "Out of memory at Image Data creation");
	haraken 2015/09/09 09:23:55 What error does Firefox or IE throw for this case? What error does Firefox or IE throw for this case? Given that we're throwing IndexSizeError for an invalid width and height, IndexSizeError might make more sense here as well. Yuki 2015/09/09 09:31:30 I failed to make Firefox throw an exception, but I Show quoted text On 2015/09/09 09:23:55, haraken wrote: > > What error does Firefox or IE throw for this case? > > Given that we're throwing IndexSizeError for an invalid width and height, > IndexSizeError might make more sense here as well. I failed to make Firefox throw an exception, but I'll try it again. The spec explicitly requires that ImageData throws IndexSizeError in case of the invalid range of size. The error is not designed for out of memory. Out of memory error can happen even if the size is valid. Should be distinguished one from another. (Actually we check the range first and throw in the case.) Anyway, I'll try to check other browser's behaviors. Yuki 2015/09/09 12:50:10 As far as I tested with Firefox on GNU/Linux, Fire Show quoted text On 2015/09/09 09:31:30, Yuki wrote: > On 2015/09/09 09:23:55, haraken wrote: > > > > What error does Firefox or IE throw for this case? > > > > Given that we're throwing IndexSizeError for an invalid width and height, > > IndexSizeError might make more sense here as well. > > I failed to make Firefox throw an exception, but I'll try it again. > > The spec explicitly requires that ImageData throws IndexSizeError in case of > the invalid range of size. The error is not designed for out of memory. Out > of memory error can happen even if the size is valid. Should be distinguished > one from another. (Actually we check the range first and throw in the case.) > > Anyway, I'll try to check other browser's behaviors. As far as I tested with Firefox on GNU/Linux, Firefox does not respond... Something bad seems happening in it.
	91 return nullptr;

	92 }

	93

	94 return new ImageData(IntSize(width, height), byteArray.release());

81 }	95 }

82	96

83 bool ImageData::validateConstructorArguments(DOMUint8ClampedArray* data, unsigne d width, unsigned& lengthInPixels, ExceptionState& exceptionState)	97 bool ImageData::validateConstructorArguments(DOMUint8ClampedArray* data, unsigne d width, unsigned& lengthInPixels, ExceptionState& exceptionState)

84 {	98 {

85 if (!width) {	99 if (!width) {

86 exceptionState.throwDOMException(IndexSizeError, "The source width is ze ro or not a number.");	100 exceptionState.throwDOMException(IndexSizeError, "The source width is ze ro or not a number.");

87 return false;	101 return false;

88 }	102 }

89 ASSERT(data);	103 ASSERT(data);

90 unsigned length = data->length();	104 unsigned length = data->length();

(...skipping 49 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
140 // Create a V8 Uint8ClampedArray object and set the "data" property	154 // Create a V8 Uint8ClampedArray object and set the "data" property

141 // of the ImageData object to the created v8 object, eliminating the	155 // of the ImageData object to the created v8 object, eliminating the

142 // C++ callback when accessing the "data" property.	156 // C++ callback when accessing the "data" property.

143 v8::Local<v8::Value> pixelArray = toV8(m_data.get(), wrapper, isolate);	157 v8::Local<v8::Value> pixelArray = toV8(m_data.get(), wrapper, isolate);

144 if (pixelArray.IsEmpty() \|\| !v8CallBoolean(wrapper->DefineOwnProperty(is olate->GetCurrentContext(), v8AtomicString(isolate, "data"), pixelArray, v8::Rea dOnly)))	158 if (pixelArray.IsEmpty() \|\| !v8CallBoolean(wrapper->DefineOwnProperty(is olate->GetCurrentContext(), v8AtomicString(isolate, "data"), pixelArray, v8::Rea dOnly)))

145 return v8::Local<v8::Object>();	159 return v8::Local<v8::Object>();

146 }	160 }

147 return wrapper;	161 return wrapper;

148 }	162 }

149	163

150 ImageData::ImageData(const IntSize& size)

151 : m_size(size)

152 , m_data(DOMUint8ClampedArray::create(size.width() * size.height() * 4))

153 {

154 }

155

156 ImageData::ImageData(const IntSize& size, PassRefPtr<DOMUint8ClampedArray> byteA rray)	164 ImageData::ImageData(const IntSize& size, PassRefPtr<DOMUint8ClampedArray> byteA rray)

157 : m_size(size)	165 : m_size(size)

158 , m_data(byteArray)	166 , m_data(byteArray)

159 {	167 {

160 ASSERT_WITH_SECURITY_IMPLICATION(static_cast<unsigned>(size.width() * size.h eight() * 4) <= m_data->length());	168 ASSERT_WITH_SECURITY_IMPLICATION(static_cast<unsigned>(size.width() * size.h eight() * 4) <= m_data->length());

161 }	169 }

162	170

163 void ImageData::dispose()	171 void ImageData::dispose()

164 {	172 {

165 m_data.clear();	173 m_data.clear();

166 }	174 }

167	175

168 } // namespace blink	176 } // namespace blink

OLD	NEW

« no previous file with comments | « Source/core/html/ImageData.h ('k') | no next file » | no next file with comments »