Fix out-of-memory crashes related to ArrayBuffer allocation

third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp

 /*
  * Copyright (C) 2004, 2006, 2007 Apple Inc. All rights reserved.
  * Copyright (C) 2007 Alp Toker <alp@atoker.com>
  * Copyright (C) 2010 Torch Mobile (Beijing) Co. Ltd. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
@@ skipping 444 matching lines @@
 
     // FIXME: Make isSupportedImageMIMETypeForEncoding threadsafe (to allow this method to be used on a worker thread).
     if (mimeType.isNull() || !MIMETypeRegistry::isSupportedImageMIMETypeForEncoding(lowercaseMimeType))
         lowercaseMimeType = "image/png";
 
     return lowercaseMimeType;
 }
 
 const AtomicString HTMLCanvasElement::imageSourceURL() const
 {
-    return AtomicString(toDataURLInternal("image/png", 0, FrontBuffer));
+    NonThrowableExceptionState exceptionState;
+    AtomicString dataURL(toDataURLInternal("image/png", 0, FrontBuffer, exceptionState));
+    if (exceptionState.hadException())
+        return AtomicString("data:,");
+    return dataURL;
 }
 
 void HTMLCanvasElement::prepareSurfaceForPaintingIfNeeded() const
 {
     ASSERT(m_context && m_context->is2d()); // This function is called by the 2d context
     if (buffer())
         m_imageBuffer->prepareSurfaceForPaintingIfNeeded();
 }
 
-ImageData* HTMLCanvasElement::toImageData(SourceDrawingBuffer sourceBuffer) const
+ImageData* HTMLCanvasElement::toImageData(SourceDrawingBuffer sourceBuffer, ExceptionState& exceptionState) const
 {
     ImageData* imageData;
     if (is3D()) {
         // Get non-premultiplied data because of inaccurate premultiplied alpha conversion of buffer()->toDataURL().
         imageData = m_context->paintRenderingResultsToImageData(sourceBuffer);
         if (imageData)
             return imageData;
 
         m_context->paintRenderingResultsToCanvas(sourceBuffer);
-        imageData = ImageData::create(m_size);
+        imageData = ImageData::create(m_size, exceptionState);
+        // Note: we rethrow exceptions from ImageData creation, which is not
+        // mandated by the specification because using an ImageData intermediate
+        // for toBlob and toDataURL is an implementation choice.  As a result of
+        // this rethrow, a RangeError exception may be thrown when there is
+        // insufficient available memory. Even though the exception is unspec'ed,
+        // it was ascertained that to throw from here will generally result in a
+        // better outcome than to crash the process.
+        if (exceptionState.hadException())
+            return nullptr;
         RefPtr<SkImage> snapshot = buffer()->newSkImageSnapshot(PreferNoAcceleration);
         if (snapshot) {
             SkImageInfo imageInfo = SkImageInfo::Make(width(), height(), kRGBA_8888_SkColorType, kUnpremul_SkAlphaType);
             snapshot->readPixels(imageInfo, imageData->data()->data(), imageInfo.minRowBytes(), 0, 0);
         }
         return imageData;
     }
 
-    imageData = ImageData::create(m_size);
+    imageData = ImageData::create(m_size, exceptionState);
+    if (exceptionState.hadException())
+        return nullptr;
 
     if (!m_context)
         return imageData;
 
     ASSERT(m_context->is2d());
     RefPtr<SkImage> snapshot = buffer()->newSkImageSnapshot(PreferNoAcceleration);
     if (snapshot) {
         SkImageInfo imageInfo = SkImageInfo::Make(width(), height(), kRGBA_8888_SkColorType, kUnpremul_SkAlphaType);
         snapshot->readPixels(imageInfo, imageData->data()->data(), imageInfo.minRowBytes(), 0, 0);
     }
 
     return imageData;
 }
 
-String HTMLCanvasElement::toDataURLInternal(const String& mimeType, const double& quality, SourceDrawingBuffer sourceBuffer) const
+String HTMLCanvasElement::toDataURLInternal(const String& mimeType, const double& quality, SourceDrawingBuffer sourceBuffer, ExceptionState& exceptionState) const
 {
     if (!isPaintable())
         return String("data:,");
 
     String encodingMimeType = toEncodingMimeType(mimeType);
 
-    ImageData* imageData = toImageData(sourceBuffer);
+    ImageData* imageData = toImageData(sourceBuffer, exceptionState);
+    if (exceptionState.hadException())
+        return String();
+
     ScopedDisposal<ImageData> disposer(imageData);
 
     return ImageDataBuffer(imageData->size(), imageData->data()->data()).toDataURL(encodingMimeType, quality);
 }
 
 String HTMLCanvasElement::toDataURL(const String& mimeType, const ScriptValue& qualityArgument, ExceptionState& exceptionState) const
 {
     if (!originClean()) {
         exceptionState.throwSecurityError("Tainted canvases may not be exported.");
         return String();
     }
     double quality = UndefinedQualityValue;
     if (!qualityArgument.isEmpty()) {
         v8::Local<v8::Value> v8Value = qualityArgument.v8Value();
         if (v8Value->IsNumber()) {
             quality = v8Value.As<v8::Number>()->Value();
         }
     }
-    return toDataURLInternal(mimeType, quality, BackBuffer);
+    return toDataURLInternal(mimeType, quality, BackBuffer, exceptionState);
 }
 
 void HTMLCanvasElement::encodeImageAsync(DOMUint8ClampedArray* imageData, IntSize imageSize, FileCallback* callback, const String& mimeType, double quality)
 {
     OwnPtr<Vector<char>> encodedImage(adoptPtr(new Vector<char>()));
 
     if (!ImageDataBuffer(imageSize, imageData->data()).encodeImage(mimeType, quality, encodedImage.get())) {
         Platform::current()->mainThread()->taskRunner()->postTask(BLINK_FROM_HERE, bind(&FileCallback::handleEvent, callback, nullptr));
     } else {
         Platform::current()->mainThread()->taskRunner()->postTask(BLINK_FROM_HERE, threadSafeBind(&HTMLCanvasElement::createBlobAndCall, encodedImage.release(), mimeType, AllowCrossThreadAccess(callback)));
@@ skipping 25 matching lines @@
     double quality = UndefinedQualityValue;
     if (!qualityArgument.isEmpty()) {
         v8::Local<v8::Value> v8Value = qualityArgument.v8Value();
         if (v8Value->IsNumber()) {
             quality = v8Value.As<v8::Number>()->Value();
         }
     }
 
     String encodingMimeType = toEncodingMimeType(mimeType);
 
-    ImageData* imageData = toImageData(BackBuffer);
-    // imageData unref its data, which we still keep alive for the async toBlob thread
+    ImageData* imageData = toImageData(BackBuffer, exceptionState);
+    if (exceptionState.hadException())
+        return;
+
+    // ImageData unrefs its data, which we still keep alive for the async toBlob thread
     ScopedDisposal<ImageData> disposer(imageData);
 
     // Add a ref to keep image data alive until completion of encoding
     RefPtr<DOMUint8ClampedArray> imageDataRef(imageData->data());
 
     getToBlobThreadInstance()->taskRunner()->postTask(BLINK_FROM_HERE, new Task(threadSafeBind(&HTMLCanvasElement::encodeImageAsync, AllowCrossThreadAccess(imageDataRef.release().leakRef()), imageData->size(), AllowCrossThreadAccess(callback), encodingMimeType, quality)));
 }
 
 SecurityOrigin* HTMLCanvasElement::securityOrigin() const
 {
@@ skipping 350 matching lines @@
 {
     return FloatSize(width(), height());
 }
 
 bool HTMLCanvasElement::isOpaque() const
 {
     return m_context && !m_context->hasAlpha();
 }
 
 } // blink