Do not crash when out of memory at ImageData::create().

Source/core/html/ImageData.cpp

Index: Source/core/html/ImageData.cpp
diff --git a/Source/core/html/ImageData.cpp b/Source/core/html/ImageData.cpp
index d16984b0e68ac981e492892f37e53e4966839974..f0cec65d2ecd00cf4d5c6b57a1d593615b16ecda 100644
--- a/Source/core/html/ImageData.cpp
+++ b/Source/core/html/ImageData.cpp
@@ -41,10 +41,15 @@ ImageData* ImageData::create(const IntSize& size)
     Checked<int, RecordOverflow> dataSize = 4;
     dataSize *= size.width();
     dataSize *= size.height();
-    if (dataSize.hasOverflowed())
+    if (dataSize.hasOverflowed() || dataSize.unsafeGet() < 0)
+        return nullptr;
+
+    RefPtr<DOMUint8ClampedArray> byteArray =
+        DOMUint8ClampedArray::createOrNull(dataSize.unsafeGet());
+    if (!byteArray)
         return nullptr;
 
-    return new ImageData(size);
+    return new ImageData(size, byteArray.release());
 }
 
 ImageData* ImageData::create(const IntSize& size, PassRefPtr<DOMUint8ClampedArray> byteArray)
@@ -72,12 +77,21 @@ ImageData* ImageData::create(unsigned width, unsigned height, ExceptionState& ex
     Checked<unsigned, RecordOverflow> dataSize = 4;
     dataSize *= width;
     dataSize *= height;
-    if (dataSize.hasOverflowed()) {
+    if (dataSize.hasOverflowed()
+        || static_cast<int>(width) < 0
+        || static_cast<int>(height) < 0) {
         exceptionState.throwDOMException(IndexSizeError, "The requested image size exceeds the supported range.");
         return nullptr;
     }
 
-    return new ImageData(IntSize(width, height));
+    RefPtr<DOMUint8ClampedArray> byteArray =
+        DOMUint8ClampedArray::createOrNull(dataSize.unsafeGet());
+    if (!byteArray) {
+        exceptionState.throwDOMException(V8GeneralError, "Out of memory at ImageData creation");

[haraken, 2015/09/09 09:23:55]

What error does Firefox or IE throw for this case?

Given that we're throwing IndexSizeError for an invalid width and height,
IndexSizeError might make more sense here as well.

[Yuki, 2015/09/09 09:31:30]

I failed to make Firefox throw an exception, but I'll try it again.

The spec explicitly requires that ImageData throws IndexSizeError in case of
the invalid range of size.  The error is not designed for out of memory.  Out
of memory error can happen even if the size is valid.  Should be distinguished
one from another.  (Actually we check the range first and throw in the case.)

Anyway, I'll try to check other browser's behaviors.

[Yuki, 2015/09/09 12:50:10]

As far as I tested with Firefox on GNU/Linux, Firefox does not respond...
Something bad seems happening in it.

+        return nullptr;
+    }
+
+    return new ImageData(IntSize(width, height), byteArray.release());
 }
 
 bool ImageData::validateConstructorArguments(DOMUint8ClampedArray* data, unsigned width, unsigned& lengthInPixels, ExceptionState& exceptionState)
@@ -147,12 +161,6 @@ v8::Local<v8::Object> ImageData::associateWithWrapper(v8::Isolate* isolate, cons
     return wrapper;
 }
 
-ImageData::ImageData(const IntSize& size)
-    : m_size(size)
-    , m_data(DOMUint8ClampedArray::create(size.width() * size.height() * 4))
-{
-}
-
 ImageData::ImageData(const IntSize& size, PassRefPtr<DOMUint8ClampedArray> byteArray)
     : m_size(size)
     , m_data(byteArray)