Upgrade blink side ReadPixels size validation to consider ES3 pack parameters.

third_party/WebKit/Source/platform/graphics/gpu/WebGLImageConversion.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "platform/graphics/gpu/WebGLImageConversion.h"
 
 #include "platform/CheckedInt.h"
 #include "platform/graphics/ImageObserver.h"
 #include "platform/graphics/cpu/arm/WebGLImageConversionNEON.h"
 #include "platform/graphics/cpu/x86/WebGLImageConversionSSE.h"
@@ skipping 1905 matching lines @@
             unpack<SrcFormat>(srcRowStart, reinterpret_cast<IntermType*>(m_unpackedIntermediateSrcData.get()), m_width);
             pack<DstFormat, alphaOp>(reinterpret_cast<IntermType*>(m_unpackedIntermediateSrcData.get()), dstRowStart, m_width);
             srcRowStart += srcStrideInElements;
             dstRowStart += dstStrideInElements;
         }
     }
     m_success = true;
     return;
 }
 
+bool frameIsValid(const SkBitmap& frameBitmap)
+{
+    return !frameBitmap.isNull()
+        && !frameBitmap.empty()
+        && frameBitmap.isImmutable()
+        && frameBitmap.colorType() == kN32_SkColorType;
+}
+
 } // anonymous namespace
 
+WebGLImageConversion::PixelStoreParams::PixelStoreParams()
+    : alignment(4)
+    , rowLength(0)
+    , imageHeight(0)
+    , skipPixels(0)
+    , skipRows(0)
+    , skipImages(0)
+{
+}
+
 bool WebGLImageConversion::computeFormatAndTypeParameters(GLenum format, GLenum type, unsigned* componentsPerPixel, unsigned* bytesPerComponent)
 {
     switch (format) {
     case GL_ALPHA:
     case GL_LUMINANCE:
     case GL_RED:
     case GL_RED_INTEGER:
     case GL_DEPTH_COMPONENT:
     case GL_DEPTH_STENCIL: // Treat it as one component.
         *componentsPerPixel = 1;
@@ skipping 55 matching lines @@
     case GL_HALF_FLOAT:
     case GL_HALF_FLOAT_OES: // OES_texture_half_float
         *bytesPerComponent = sizeof(GLushort);
         break;
     default:
         return false;
     }
     return true;
 }
 
-GLenum WebGLImageConversion::computeImageSizeInBytes(GLenum format, GLenum type, GLsizei width, GLsizei height, GLsizei depth, GLint alignment, unsigned* imageSizeInBytes, unsigned* paddingInBytes)
+GLenum WebGLImageConversion::computeImageSizeInBytes(GLenum format, GLenum type, GLsizei width, GLsizei height, GLsizei depth, const PixelStoreParams& params, unsigned* imageSizeInBytes, unsigned* paddingInBytes, unsigned* skipSizeInBytes)
 {
     ASSERT(imageSizeInBytes);
-    ASSERT(alignment == 1 || alignment == 2 || alignment == 4 || alignment == 8);
+    ASSERT(params.alignment == 1 || params.alignment == 2 || params.alignment == 4 || params.alignment == 8);
+    ASSERT(params.rowLength >= 0 && params.imageHeight >= 0);
+    ASSERT(params.skipPixels >= 0 && params.skipRows >= 0 && params.skipImages >= 0);
     if (width < 0 || height < 0 || depth < 0)
         return GL_INVALID_VALUE;
-    unsigned bytesPerComponent, componentsPerPixel;
-    if (!computeFormatAndTypeParameters(format, type, &bytesPerComponent, &componentsPerPixel))
-        return GL_INVALID_ENUM;
     if (!width || !height || !depth) {
         *imageSizeInBytes = 0;
         if (paddingInBytes)
             *paddingInBytes = 0;
+        if (skipSizeInBytes)
+            *skipSizeInBytes = 0;
         return GL_NO_ERROR;
     }
-    CheckedInt<uint32_t> checkedValue(bytesPerComponent * componentsPerPixel);
-    checkedValue *=  width;
+
+    int rowLength = params.rowLength > 0 ? params.rowLength : width;
+    int imageHeight = params.imageHeight > 0 ? params.imageHeight : height;
+
+    unsigned bytesPerComponent, componentsPerPixel;
+    if (!computeFormatAndTypeParameters(format, type, &bytesPerComponent, &componentsPerPixel))
+        return GL_INVALID_ENUM;
+    unsigned bytesPerGroup = bytesPerComponent * componentsPerPixel;
+    CheckedInt<uint32_t> checkedValue = static_cast<uint32_t>(rowLength);
+    checkedValue *=  bytesPerGroup;
     if (!checkedValue.isValid())
         return GL_INVALID_VALUE;
-    unsigned validRowSize = checkedValue.value();
+
+    unsigned lastRowSize;
+    if (params.rowLength > 0 && params.rowLength != width) {
+        CheckedInt<uint32_t> tmp = width;
+        tmp *= bytesPerGroup;
+        if (!tmp.isValid())
+            return GL_INVALID_VALUE;
+        lastRowSize = tmp.value();
+    } else {
+        lastRowSize = checkedValue.value();
+    }
+
     unsigned padding = 0;
-    unsigned residual = validRowSize % alignment;
+    unsigned residual = checkedValue.value() % params.alignment;
     if (residual) {
-        padding = alignment - residual;
+        padding = params.alignment - residual;
         checkedValue += padding;
     }
-    // Last row needs no padding.
-    checkedValue *= (height * depth - 1);
-    checkedValue += validRowSize;
+    if (!checkedValue.isValid())
+        return GL_INVALID_VALUE;
+    unsigned paddedRowSize = checkedValue.value();
+
+    CheckedInt<uint32_t> rows = imageHeight;
+    rows *= (depth - 1);
+    // Last image is not affected by IMAGE_HEIGHT parameter.
+    rows += height;
+    if (!rows.isValid())
+        return GL_INVALID_VALUE;
+    checkedValue *= (rows.value() - 1);
+    // Last row is not affected by ROW_LENGTH parameter.
+    checkedValue += lastRowSize;
     if (!checkedValue.isValid())
         return GL_INVALID_VALUE;
     *imageSizeInBytes = checkedValue.value();
     if (paddingInBytes)
         *paddingInBytes = padding;
+
+    CheckedInt<uint32_t> skipSize = 0;
+    if (params.skipImages > 0) {
+        CheckedInt<uint32_t> tmp = paddedRowSize;
+        tmp *= imageHeight;
+        tmp *= params.skipImages;
+        if (!tmp.isValid())
+            return GL_INVALID_VALUE;
+        skipSize += tmp.value();
+    }
+    if (params.skipRows > 0) {
+        CheckedInt<uint32_t> tmp = paddedRowSize;
+        tmp *= params.skipRows;
+        if (!tmp.isValid())
+            return GL_INVALID_VALUE;
+        skipSize += tmp.value();
+    }
+    if (params.skipPixels > 0) {
+        CheckedInt<uint32_t> tmp = bytesPerGroup;
+        tmp *= params.skipPixels;
+        if (!tmp.isValid())
+            return GL_INVALID_VALUE;
+        skipSize += tmp.value();
+    }
+    if (!skipSize.isValid())
+        return GL_INVALID_VALUE;
+    if (skipSizeInBytes)
+        *skipSizeInBytes = skipSize.value();
+
+    checkedValue += skipSize.value();
+    if (!checkedValue.isValid())
+        return GL_INVALID_VALUE;
     return GL_NO_ERROR;
 }
 
 WebGLImageConversion::ImageExtractor::ImageExtractor(Image* image, ImageHtmlDomSource imageHtmlDomSource, bool premultiplyAlpha, bool ignoreGammaAndColorProfile)
 {
     m_image = image;
     m_imageHtmlDomSource = imageHtmlDomSource;
     extractImage(premultiplyAlpha, ignoreGammaAndColorProfile);
 }
 
-namespace {
-
-bool frameIsValid(const SkBitmap& frameBitmap)
-{
-    return !frameBitmap.isNull()
-        && !frameBitmap.empty()
-        && frameBitmap.isImmutable()
-        && frameBitmap.colorType() == kN32_SkColorType;
-}
-
-} // anonymous namespace
-
 void WebGLImageConversion::ImageExtractor::extractImage(bool premultiplyAlpha, bool ignoreGammaAndColorProfile)
 {
     ASSERT(!m_imagePixelLocker);
 
     if (!m_image)
         return;
 
     RefPtr<SkImage> skiaImage = m_image->imageForCurrentFrame();
     SkImageInfo info = skiaImage
         ? SkImageInfo::MakeN32Premul(m_image->width(), m_image->height())
@@ skipping 154 matching lines @@
     unsigned width,
     unsigned height,
     unsigned sourceUnpackAlignment,
     Vector<uint8_t>& data)
 {
     if (!pixels)
         return false;
 
     unsigned packedSize;
     // Output data is tightly packed (alignment == 1).
-    if (computeImageSizeInBytes(format, type, width, height, 1, 1, &packedSize, 0) != GL_NO_ERROR)
+    PixelStoreParams params;
+    params.alignment = 1;
+    if (computeImageSizeInBytes(format, type, width, height, 1, params, &packedSize, 0, 0) != GL_NO_ERROR)
         return false;
     data.resize(packedSize);
 
     if (!packPixels(reinterpret_cast<const uint8_t*>(pixels), sourceFormat, width, height, sourceUnpackAlignment, format, type, alphaOp, data.data(), flipY))
         return false;
     if (ImageObserver *observer = image->imageObserver())
         observer->didDraw(image);
     return true;
 }
 
 bool WebGLImageConversion::extractImageData(
     const uint8_t* imageData,
     const IntSize& imageDataSize,
     GLenum format,
     GLenum type,
     bool flipY,
     bool premultiplyAlpha,
     Vector<uint8_t>& data)
 {
     if (!imageData)
         return false;
     int width = imageDataSize.width();
     int height = imageDataSize.height();
 
     unsigned packedSize;
     // Output data is tightly packed (alignment == 1).
-    if (computeImageSizeInBytes(format, type, width, height, 1, 1, &packedSize, 0) != GL_NO_ERROR)
+    PixelStoreParams params;
+    params.alignment = 1;
+    if (computeImageSizeInBytes(format, type, width, height, 1, params, &packedSize, 0, 0) != GL_NO_ERROR)
         return false;
     data.resize(packedSize);
 
     if (!packPixels(imageData, DataFormatRGBA8, width, height, 0, format, type, premultiplyAlpha ? AlphaDoPremultiply : AlphaDoNothing, data.data(), flipY))
         return false;
 
     return true;
 }
 
 bool WebGLImageConversion::extractTextureData(
@@ skipping 60 matching lines @@
     }
 
     FormatConverter converter(width, height, sourceData, destinationData, srcStride, dstStride);
     converter.convert(sourceDataFormat, dstDataFormat, alphaOp);
     if (!converter.Success())
         return false;
     return true;
 }
 
 } // namespace blink