Reject createImageBitmap promise when the cropRect or resize is too big

Reject createImageBitmap promise when the cropRect or resize is too big

At this moment, creating an ImageBitmap has several options such as flipY
and premultiplyAlpha = false. So in some cases, we would have to convert
the premultiplied input to unpremul format, and that involves allocating
new memory. To prevent any potential integer overflow or OOM situation,
this CL checks the size of the cropRect and the resizeWidth(resizeHeight),
if the width * height * bytesPerPixel is larger than size_t range, we reject
the promise. By doing the check at the beginning of each ImageBitmap constructor,
we can guarantee that the subsequent multiplication of
width * height * bytesPerPixel will not overflow.

This CL also correct other places where there could be
potential integer overflow. In particular, since we have checked at
the beginning of each ImageBitmap constructor, it should be safe
to use size_t for any computation of width * height in the code.

TBR=kbr@chromium.org, haraken@chromium.org
BUG=638615
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2249853008
Cr-Commit-Position: refs/heads/master@{#414687}
(cherry picked from commit a43a9eaba800ac7a88b22e8ea6d1666c8dc28ab6)

Committed: https://chromium.googlesource.com/chromium/src/+/91ec52303dfb46bb62583a5ddc9be4c24cb559c2

[xidachen, 2016-09-09 13:24:47]

Description was changed from

==========
Reject createImageBitmap promise when the cropRect or resize is too big

At this moment, creating an ImageBitmap has several options such as flipY
and premultiplyAlpha = false. So in some cases, we would have to convert
the premultiplied input to unpremul format, and that involves allocating
new memory. To prevent any potential integer overflow or OOM situation,
this CL checks the size of the cropRect and the resizeWidth(resizeHeight),
if the width * height * bytesPerPixel is larger than size_t range, we reject
the promise. By doing the check at the beginning of each ImageBitmap
constructor,
we can guarantee that the subsequent multiplication of
width * height * bytesPerPixel will not overflow.

This CL also correct other places where there could be
potential integer overflow. In particular, since we have checked at
the beginning of each ImageBitmap constructor, it should be safe
to use size_t for any computation of width * height in the code.

TBR=kbr@chromium.org, haraken@chromium.org
BUG=638615
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2249853008
Cr-Commit-Position: refs/heads/master@{#414687}
(cherry picked from commit a43a9eaba800ac7a88b22e8ea6d1666c8dc28ab6)
==========

to

==========
Reject createImageBitmap promise when the cropRect or resize is too big

At this moment, creating an ImageBitmap has several options such as flipY
and premultiplyAlpha = false. So in some cases, we would have to convert
the premultiplied input to unpremul format, and that involves allocating
new memory. To prevent any potential integer overflow or OOM situation,
this CL checks the size of the cropRect and the resizeWidth(resizeHeight),
if the width * height * bytesPerPixel is larger than size_t range, we reject
the promise. By doing the check at the beginning of each ImageBitmap
constructor,
we can guarantee that the subsequent multiplication of
width * height * bytesPerPixel will not overflow.

This CL also correct other places where there could be
potential integer overflow. In particular, since we have checked at
the beginning of each ImageBitmap constructor, it should be safe
to use size_t for any computation of width * height in the code.

TBR=kbr@chromium.org, haraken@chromium.org
BUG=638615
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2249853008
Cr-Commit-Position: refs/heads/master@{#414687}
(cherry picked from commit a43a9eaba800ac7a88b22e8ea6d1666c8dc28ab6)

Committed:
https://chromium.googlesource.com/chromium/src/+/91ec52303dfb46bb62583a5ddc9b...
==========

[xidachen, 2016-09-09 13:24:49]

Committed patchset #1 (id:1) manually as
91ec52303dfb46bb62583a5ddc9be4c24cb559c2.

[Ken Russell (switch to Gerrit), 2016-09-09 23:32:40]

Merge-back LGTM assuming it's been well tested.