Fix integer over flow issue in HTMLCanvasElement::canCreateImageBuffer

Fix integer over flow issue in HTMLCanvasElement::canCreateImageBuffer

Right now in this method, it does a size.width() * size.height(), and
that could cause integer overflow.

This CL fix that by using CheckedNumeric<int>.

BUG=630024
Committed: https://crrev.com/29622ffb0f2116f242bcddb38aec7a9100dda7ea
Cr-Commit-Position: refs/heads/master@{#406914}

[xidachen, 2016-07-21 13:47:02]

xidachen@chromium.org changed reviewers:
+ junov@chromium.org

[xidachen, 2016-07-21 13:47:03]

PTAL

[Justin Novosad, 2016-07-21 15:35:58]

On 2016/07/21 13:47:03, xidachen wrote:
> PTAL
Prefer this:


#include "base/numerics/safe_math.h"

(...)

CheckedNumeric<int> area = size.width();
area *= size.height();
if (!area.IsValid() || area.ValueOrDie() > MaxCanvasArea)
   return false;

[xidachen, 2016-07-21 15:45:34]

On 2016/07/21 15:35:58, Justin Novosad wrote:
> On 2016/07/21 13:47:03, xidachen wrote:
> > PTAL
> Prefer this:
> 
> 
> #include "base/numerics/safe_math.h"
> 
> (...)
> 
> CheckedNumeric<int> area = size.width();
> area *= size.height();
> if (!area.IsValid() || area.ValueOrDie() > MaxCanvasArea)
>    return false;

Good point. We are not allowed to include src/base/ directly from WebKit, but we
already have a wtf::CheckedNumeric in this file, so that works.

[Justin Novosad, 2016-07-21 15:52:47]

lgtm

[xidachen, 2016-07-21 15:54:34]

The CQ bit was checked by xidachen@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-21 15:54:48]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[xidachen, 2016-07-21 15:54:50]

Description was changed from

==========
Fix integer over flow issue in HTMLCanvasElement::canCreateImageBuffer

Right now in this method, it does a size.width() * size.height(), and
that could cause integer overflow.

This CL fix that by moving size.height() to the other side of the
inequality.

BUG=630024
==========

to

==========
Fix integer over flow issue in HTMLCanvasElement::canCreateImageBuffer

Right now in this method, it does a size.width() * size.height(), and
that could cause integer overflow.

This CL fix that by using CheckedNumeric<int>.

BUG=630024
==========

[commit-bot: I haz the power, 2016-07-21 17:33:59]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-21 17:34:01]

Dry run: Try jobs failed on following builders:
  mac_chromium_rel_ng on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_...)

[xidachen, 2016-07-21 17:34:37]

The CQ bit was checked by xidachen@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-21 17:34:53]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-21 18:23:29]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-21 18:23:30]

Dry run: This issue passed the CQ dry run.

[xidachen, 2016-07-21 18:28:13]

The CQ bit was checked by xidachen@chromium.org

[commit-bot: I haz the power, 2016-07-21 18:29:23]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-21 18:36:14]

Description was changed from

==========
Fix integer over flow issue in HTMLCanvasElement::canCreateImageBuffer

Right now in this method, it does a size.width() * size.height(), and
that could cause integer overflow.

This CL fix that by using CheckedNumeric<int>.

BUG=630024
==========

to

==========
Fix integer over flow issue in HTMLCanvasElement::canCreateImageBuffer

Right now in this method, it does a size.width() * size.height(), and
that could cause integer overflow.

This CL fix that by using CheckedNumeric<int>.

BUG=630024
==========

[commit-bot: I haz the power, 2016-07-21 18:36:18]

Committed patchset #2 (id:20001)

[commit-bot: I haz the power, 2016-07-21 18:37:32]

Description was changed from

==========
Fix integer over flow issue in HTMLCanvasElement::canCreateImageBuffer

Right now in this method, it does a size.width() * size.height(), and
that could cause integer overflow.

This CL fix that by using CheckedNumeric<int>.

BUG=630024
==========

to

==========
Fix integer over flow issue in HTMLCanvasElement::canCreateImageBuffer

Right now in this method, it does a size.width() * size.height(), and
that could cause integer overflow.

This CL fix that by using CheckedNumeric<int>.

BUG=630024

Committed: https://crrev.com/29622ffb0f2116f242bcddb38aec7a9100dda7ea
Cr-Commit-Position: refs/heads/master@{#406914}
==========

[commit-bot: I haz the power, 2016-07-21 18:37:33]

Patchset 2 (id:??) landed as
https://crrev.com/29622ffb0f2116f242bcddb38aec7a9100dda7ea
Cr-Commit-Position: refs/heads/master@{#406914}