Chromium Code Reviews Chromium Code Reviews
Issue 1414553002:
Fix out-of-memory crashes related to ArrayBuffer allocation
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Apple Inc. All rights reserved. | 2 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Apple Inc. All rights reserved. |
| 3 * Copyright (C) 2008, 2010 Nokia Corporation and/or its subsidiary(-ies) | 3 * Copyright (C) 2008, 2010 Nokia Corporation and/or its subsidiary(-ies) |
| 4 * Copyright (C) 2007 Alp Toker <alp@atoker.com> | 4 * Copyright (C) 2007 Alp Toker <alp@atoker.com> |
| 5 * Copyright (C) 2008 Eric Seidel <eric@webkit.org> | 5 * Copyright (C) 2008 Eric Seidel <eric@webkit.org> |
| 6 * Copyright (C) 2008 Dirk Schulze <krit@webkit.org> | 6 * Copyright (C) 2008 Dirk Schulze <krit@webkit.org> |
| 7 * Copyright (C) 2010 Torch Mobile (Beijing) Co. Ltd. All rights reserved. | 7 * Copyright (C) 2010 Torch Mobile (Beijing) Co. Ltd. All rights reserved. |
| 8 * Copyright (C) 2012, 2013 Intel Corporation. All rights reserved. | 8 * Copyright (C) 2012, 2013 Intel Corporation. All rights reserved. |
| 9 * Copyright (C) 2013 Adobe Systems Incorporated. All rights reserved. | 9 * Copyright (C) 2013 Adobe Systems Incorporated. All rights reserved. |
| 10 * | 10 * |
| (...skipping 1545 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1556 canvas()->didDraw(SkRect::Make(dirtyRect)); | 1556 canvas()->didDraw(SkRect::Make(dirtyRect)); |
| 1557 } | 1557 } |
| 1558 | 1558 |
| 1559 SkCanvas* CanvasRenderingContext2D::drawingCanvas() const | 1559 SkCanvas* CanvasRenderingContext2D::drawingCanvas() const |
| 1560 { | 1560 { |
| 1561 if (isContextLost()) | 1561 if (isContextLost()) |
| 1562 return nullptr; | 1562 return nullptr; |
| 1563 return canvas()->drawingCanvas(); | 1563 return canvas()->drawingCanvas(); |
| 1564 } | 1564 } |
| 1565 | 1565 |
| 1566 ImageData* CanvasRenderingContext2D::createImageData(ImageData* imageData) const | 1566 ImageData* CanvasRenderingContext2D::createImageData(ImageData* imageData, Excep tionState& exceptionState) const |
| 1567 { | 1567 { |
| 1568 return ImageData::create(imageData->size()); | 1568 return ImageData::create(imageData->size(), exceptionState); |
| 1569 } | 1569 } |
| 1570 | 1570 |
| 1571 ImageData* CanvasRenderingContext2D::createImageData(float sw, float sh, Excepti onState& exceptionState) const | 1571 ImageData* CanvasRenderingContext2D::createImageData(float sw, float sh, Excepti onState& exceptionState) const |
| 1572 { | 1572 { |
| 1573 if (!sw || !sh) { | 1573 if (!sw || !sh) { |
| 1574 exceptionState.throwDOMException(IndexSizeError, String::format("The sou rce %s is 0.", sw ? "height" : "width")); | 1574 exceptionState.throwDOMException(IndexSizeError, String::format("The sou rce %s is 0.", sw ? "height" : "width")); |
| 1575 return nullptr; | 1575 return nullptr; |
| 1576 } | 1576 } |
| 1577 | 1577 |
| 1578 FloatSize logicalSize(fabs(sw), fabs(sh)); | 1578 FloatSize logicalSize(fabs(sw), fabs(sh)); |
| 1579 if (!logicalSize.isExpressibleAsIntSize()) | 1579 if (!logicalSize.isExpressibleAsIntSize()) |
| 1580 return nullptr; | 1580 return nullptr; |
| 1581 | 1581 |
| 1582 IntSize size = expandedIntSize(logicalSize); | 1582 IntSize size = expandedIntSize(logicalSize); |
| 1583 if (size.width() < 1) | 1583 if (size.width() < 1) |
| 1584 size.setWidth(1); | 1584 size.setWidth(1); |
| 1585 if (size.height() < 1) | 1585 if (size.height() < 1) |
| 1586 size.setHeight(1); | 1586 size.setHeight(1); |
| 1587 | 1587 |
| 1588 return ImageData::create(size); | 1588 return ImageData::create(size, exceptionState); |
| 1589 } | 1589 } |
| 1590 | 1590 |
| 1591 ImageData* CanvasRenderingContext2D::getImageData(float sx, float sy, float sw, float sh, ExceptionState& exceptionState) const | 1591 ImageData* CanvasRenderingContext2D::getImageData(float sx, float sy, float sw, float sh, ExceptionState& exceptionState) const |
| 1592 { | 1592 { |
| 1593 if (!canvas()->originClean()) | 1593 if (!canvas()->originClean()) |
| 1594 exceptionState.throwSecurityError("The canvas has been tainted by cross- origin data."); | 1594 exceptionState.throwSecurityError("The canvas has been tainted by cross- origin data."); |
| 1595 else if (!sw || !sh) | 1595 else if (!sw || !sh) |
| 1596 exceptionState.throwDOMException(IndexSizeError, String::format("The sou rce %s is 0.", sw ? "height" : "width")); | 1596 exceptionState.throwDOMException(IndexSizeError, String::format("The sou rce %s is 0.", sw ? "height" : "width")); |
| 1597 | 1597 |
| 1598 if (exceptionState.hadException()) | 1598 if (exceptionState.hadException()) |
| (...skipping 12 matching lines...) Expand all Loading... | |
| 1611 if (logicalRect.width() < 1) | 1611 if (logicalRect.width() < 1) |
| 1612 logicalRect.setWidth(1); | 1612 logicalRect.setWidth(1); |
| 1613 if (logicalRect.height() < 1) | 1613 if (logicalRect.height() < 1) |
| 1614 logicalRect.setHeight(1); | 1614 logicalRect.setHeight(1); |
| 1615 if (!logicalRect.isExpressibleAsIntRect()) | 1615 if (!logicalRect.isExpressibleAsIntRect()) |
| 1616 return nullptr; | 1616 return nullptr; |
| 1617 | 1617 |
| 1618 IntRect imageDataRect = enclosingIntRect(logicalRect); | 1618 IntRect imageDataRect = enclosingIntRect(logicalRect); |
| 1619 ImageBuffer* buffer = canvas()->buffer(); | 1619 ImageBuffer* buffer = canvas()->buffer(); |
| 1620 if (!buffer || isContextLost()) | 1620 if (!buffer || isContextLost()) |
| 1621 return ImageData::create(imageDataRect.size()); | 1621 return ImageData::create(imageDataRect.size(), exceptionState); |
| 1622 | 1622 |
| 1623 WTF::ArrayBufferContents contents; | 1623 WTF::ArrayBufferContents contents; |
| 1624 if (!buffer->getImageData(Unmultiplied, imageDataRect, contents)) | 1624 if (!buffer->getImageData(Unmultiplied, imageDataRect, contents)) { |
| 1625 exceptionState.throwRangeError("Out of memory."); | |
|
haraken
2015/10/29 16:24:34
Maybe do we want to invent a better error message
Justin Novosad
2015/10/29 18:26:02
Acknowledged.
| |
| 1625 return nullptr; | 1626 return nullptr; |
| 1627 } | |
| 1626 | 1628 |
| 1627 RefPtr<DOMArrayBuffer> arrayBuffer = DOMArrayBuffer::create(contents); | 1629 RefPtr<DOMArrayBuffer> arrayBuffer = DOMArrayBuffer::create(contents); |
| 1628 return ImageData::create( | 1630 return ImageData::create( |
| 1629 imageDataRect.size(), | 1631 imageDataRect.size(), |
| 1630 DOMUint8ClampedArray::create(arrayBuffer, 0, arrayBuffer->byteLength())) ; | 1632 DOMUint8ClampedArray::create(arrayBuffer, 0, arrayBuffer->byteLength())) ; |
| 1631 } | 1633 } |
| 1632 | 1634 |
| 1633 void CanvasRenderingContext2D::putImageData(ImageData* data, float dx, float dy) | 1635 void CanvasRenderingContext2D::putImageData(ImageData* data, float dx, float dy) |
| 1634 { | 1636 { |
| 1635 putImageData(data, dx, dy, 0, 0, data->width(), data->height()); | 1637 putImageData(data, dx, dy, 0, 0, data->width(), data->height()); |
| (...skipping 688 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2324 if (imageType == CanvasRenderingContext2DState::NonOpaqueImage) | 2326 if (imageType == CanvasRenderingContext2DState::NonOpaqueImage) |
| 2325 return; | 2327 return; |
| 2326 if (alpha < 0xFF) | 2328 if (alpha < 0xFF) |
| 2327 return; | 2329 return; |
| 2328 } | 2330 } |
| 2329 | 2331 |
| 2330 canvas()->buffer()->willOverwriteCanvas(); | 2332 canvas()->buffer()->willOverwriteCanvas(); |
| 2331 } | 2333 } |
| 2332 | 2334 |
| 2333 } // namespace blink | 2335 } // namespace blink |
| OLD | NEW |
