Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(169)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/html/ImageData.cpp

Issue 1414553002: Fix out-of-memory crashes related to ArrayBuffer allocation Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: rebase+more tweaks Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/Source/core/html/ImageData.h ('k') | third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2008 Apple Inc. All rights reserved. 2 * Copyright (C) 2008 Apple Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 7 *
8 * 1. Redistributions of source code must retain the above copyright 8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer. 9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright 10 * 2. Redistributions in binary form must reproduce the above copyright
(...skipping 18 matching lines...) Expand all
29 #include "config.h" 29 #include "config.h"
30 #include "core/html/ImageData.h" 30 #include "core/html/ImageData.h"
31 31
32 #include "bindings/core/v8/ExceptionState.h" 32 #include "bindings/core/v8/ExceptionState.h"
33 #include "bindings/core/v8/V8Uint8ClampedArray.h" 33 #include "bindings/core/v8/V8Uint8ClampedArray.h"
34 #include "core/dom/ExceptionCode.h" 34 #include "core/dom/ExceptionCode.h"
35 #include "platform/RuntimeEnabledFeatures.h" 35 #include "platform/RuntimeEnabledFeatures.h"
36 36
37 namespace blink { 37 namespace blink {
38 38
39 ImageData* ImageData::create(const IntSize& size) 39 ImageData* ImageData::create(const IntSize& size, ExceptionState& exceptionState )
40 { 40 {
41 Checked<int, RecordOverflow> dataSize = 4; 41 Checked<int, RecordOverflow> dataSize = 4;
42 dataSize *= size.width(); 42 dataSize *= size.width();
43 dataSize *= size.height(); 43 dataSize *= size.height();
44 if (dataSize.hasOverflowed() || dataSize.unsafeGet() < 0) 44 if (dataSize.hasOverflowed() || dataSize.unsafeGet() < 0) {
45 exceptionState.throwDOMException(IndexSizeError, "The requested image si ze exceeds the supported range.");
45 return nullptr; 46 return nullptr;
47 }
46 48
47 RefPtr<DOMUint8ClampedArray> byteArray = 49 RefPtr<DOMUint8ClampedArray> byteArray =
48 DOMUint8ClampedArray::createOrNull(dataSize.unsafeGet()); 50 DOMUint8ClampedArray::createOrNull(dataSize.unsafeGet());
49 if (!byteArray) 51 if (!byteArray) {
52 exceptionState.throwRangeError("ImageData object creation failed due to insufficient available memory.");
50 return nullptr; 53 return nullptr;
54 }
51 55
52 return new ImageData(size, byteArray.release()); 56 return new ImageData(size, byteArray.release());
53 } 57 }
54 58
55 ImageData* ImageData::create(const IntSize& size, PassRefPtr<DOMUint8ClampedArra y> byteArray) 59 ImageData* ImageData::create(const IntSize& size, PassRefPtr<DOMUint8ClampedArra y> byteArray)
56 { 60 {
57 Checked<int, RecordOverflow> dataSize = 4; 61 Checked<int, RecordOverflow> dataSize = 4;
58 dataSize *= size.width(); 62 dataSize *= size.width();
59 dataSize *= size.height(); 63 dataSize *= size.height();
60 if (dataSize.hasOverflowed()) 64 if (dataSize.hasOverflowed()
65 || dataSize.unsafeGet() < 0
66 || static_cast<unsigned>(dataSize.unsafeGet()) > byteArray->length()) {
61 return nullptr; 67 return nullptr;
62 68 }
63 if (dataSize.unsafeGet() < 0
64 || static_cast<unsigned>(dataSize.unsafeGet()) > byteArray->length())
65 return nullptr;
66 69
67 return new ImageData(size, byteArray); 70 return new ImageData(size, byteArray);
68 } 71 }
69 72
70 ImageData* ImageData::create(unsigned width, unsigned height, ExceptionState& ex ceptionState) 73 ImageData* ImageData::create(unsigned width, unsigned height, ExceptionState& ex ceptionState)
71 { 74 {
72 if (!width || !height) { 75 if (!width || !height) {
73 exceptionState.throwDOMException(IndexSizeError, String::format("The sou rce %s is zero or not a number.", width ? "height" : "width")); 76 exceptionState.throwDOMException(IndexSizeError, String::format("The sou rce %s is zero or not a number.", width ? "height" : "width"));
74 return nullptr; 77 return nullptr;
75 } 78 }
76 79
77 Checked<unsigned, RecordOverflow> dataSize = 4; 80 Checked<unsigned, RecordOverflow> dataSize = 4;
78 dataSize *= width; 81 dataSize *= width;
79 dataSize *= height; 82 dataSize *= height;
80 if (dataSize.hasOverflowed() 83 if (dataSize.hasOverflowed()
81 || static_cast<int>(width) < 0 84 || static_cast<int>(width) < 0
82 || static_cast<int>(height) < 0) { 85 || static_cast<int>(height) < 0) {
83 exceptionState.throwDOMException(IndexSizeError, "The requested image si ze exceeds the supported range."); 86 exceptionState.throwDOMException(IndexSizeError, "The requested image si ze exceeds the supported range.");
84 return nullptr; 87 return nullptr;
85 } 88 }
86 89
87 RefPtr<DOMUint8ClampedArray> byteArray = 90 RefPtr<DOMUint8ClampedArray> byteArray =
88 DOMUint8ClampedArray::createOrNull(dataSize.unsafeGet()); 91 DOMUint8ClampedArray::createOrNull(dataSize.unsafeGet());
89 if (!byteArray) { 92 if (!byteArray) {
90 exceptionState.throwDOMException(V8GeneralError, "Out of memory at Image Data creation"); 93 exceptionState.throwRangeError("ImageData object creation failed due to insufficient available memory.");
91 return nullptr; 94 return nullptr;
92 } 95 }
93 96
94 return new ImageData(IntSize(width, height), byteArray.release()); 97 return new ImageData(IntSize(width, height), byteArray.release());
95 } 98 }
96 99
97 bool ImageData::validateConstructorArguments(DOMUint8ClampedArray* data, unsigne d width, unsigned& lengthInPixels, ExceptionState& exceptionState) 100 bool ImageData::validateConstructorArguments(DOMUint8ClampedArray* data, unsigne d width, unsigned& lengthInPixels, ExceptionState& exceptionState)
98 { 101 {
99 if (!width) { 102 if (!width) {
100 exceptionState.throwDOMException(IndexSizeError, "The source width is ze ro or not a number."); 103 exceptionState.throwDOMException(IndexSizeError, "The source width is ze ro or not a number.");
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after
167 { 170 {
168 ASSERT_WITH_SECURITY_IMPLICATION(static_cast<unsigned>(size.width() * size.h eight() * 4) <= m_data->length()); 171 ASSERT_WITH_SECURITY_IMPLICATION(static_cast<unsigned>(size.width() * size.h eight() * 4) <= m_data->length());
169 } 172 }
170 173
171 void ImageData::dispose() 174 void ImageData::dispose()
172 { 175 {
173 m_data.clear(); 176 m_data.clear();
174 } 177 }
175 178
176 } // namespace blink 179 } // namespace blink
OLDNEW
« no previous file with comments | « third_party/WebKit/Source/core/html/ImageData.h ('k') | third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698