DescriptionReject createImageBitmap promise when the cropRect or resize is too big
At this moment, creating an ImageBitmap has several options such as flipY
and premultiplyAlpha = false. So in some cases, we would have to convert
the premultiplied input to unpremul format, and that involves allocating
new memory. To prevent any potential integer overflow or OOM situation,
this CL checks the size of the cropRect and the resizeWidth(resizeHeight),
if the width * height * bytesPerPixel is larger than size_t range, we reject
the promise. By doing the check at the beginning of each ImageBitmap constructor,
we can guarantee that the subsequent multiplication of
width * height * bytesPerPixel will not overflow.
This CL also correct other places where there could be
potential integer overflow. In particular, since we have checked at
the beginning of each ImageBitmap constructor, it should be safe
to use size_t for any computation of width * height in the code.
TBR=kbr@chromium.org, haraken@chromium.org
BUG=638615
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel
Committed: https://crrev.com/a43a9eaba800ac7a88b22e8ea6d1666c8dc28ab6
Cr-Commit-Position: refs/heads/master@{#414687}
Patch Set 1 #
Total comments: 11
Patch Set 2 : mostly done #Patch Set 3 : back to int #Patch Set 4 : using size_t + partitionAlloc #
Total comments: 2
Patch Set 5 : size_t + Uint8Array + null check (lots) #
Total comments: 1
Patch Set 6 : debugging on win, do not commit #
Total comments: 2
Patch Set 7 : still debugging #Patch Set 8 : using std::move + leakRef #Patch Set 9 : debugging #
Total comments: 4
Patch Set 10 : more printf debugging #Patch Set 11 : fix on win #Patch Set 12 : update tests #Messages
Total messages: 31 (15 generated)
|