Chromium Code Reviews Chromium Code Reviews
Issue 2404583002:
Fix integer overflow in ObjectPainter and divide by zero in Color. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/paint/ObjectPainter.h" | 5 #include "core/paint/ObjectPainter.h" |
| 6 | 6 |
| 7 #include "core/layout/LayoutBlock.h" | 7 #include "core/layout/LayoutBlock.h" |
| 8 #include "core/layout/LayoutInline.h" | 8 #include "core/layout/LayoutInline.h" |
| 9 #include "core/layout/LayoutObject.h" | 9 #include "core/layout/LayoutObject.h" |
| 10 #include "core/layout/LayoutTheme.h" | 10 #include "core/layout/LayoutTheme.h" |
| (...skipping 197 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 208 path.lineTo(quad[1]); | 208 path.lineTo(quad[1]); |
| 209 path.lineTo(quad[2]); | 209 path.lineTo(quad[2]); |
| 210 path.lineTo(quad[3]); | 210 path.lineTo(quad[3]); |
| 211 SkPaint paint(context.fillPaint()); | 211 SkPaint paint(context.fillPaint()); |
| 212 paint.setAntiAlias(antialias); | 212 paint.setAntiAlias(antialias); |
| 213 paint.setColor(color.rgb()); | 213 paint.setColor(color.rgb()); |
| 214 | 214 |
| 215 context.drawPath(path, paint); | 215 context.drawPath(path, paint); |
| 216 } | 216 } |
| 217 | 217 |
| 218 int safeSubtract(int a, int b) { | |
|
pdr.
2016/10/07 22:14:35
I think you can use the existing code in Saturated
wkorman
2016/10/07 23:43:19
Done.
| |
| 219 if (((b < 0) && (a > std::numeric_limits<int>::max() + b)) || | |
| 220 ((b > 0) && (a < std::numeric_limits<int>::min() + b))) | |
| 221 return a; | |
| 222 return a - b; | |
| 223 } | |
| 224 | |
| 225 int safeAdd(int a, int b) { | |
| 226 if (((b > 0) && (a > std::numeric_limits<int>::max() - b)) || | |
| 227 ((b < 0) && (a < std::numeric_limits<int>::min() - b))) | |
| 228 return a; | |
| 229 return a + b; | |
| 230 } | |
| 231 | |
| 218 } // namespace | 232 } // namespace |
| 219 | 233 |
| 220 void ObjectPainter::paintOutline(const PaintInfo& paintInfo, | 234 void ObjectPainter::paintOutline(const PaintInfo& paintInfo, |
| 221 const LayoutPoint& paintOffset) { | 235 const LayoutPoint& paintOffset) { |
| 222 ASSERT(shouldPaintSelfOutline(paintInfo.phase)); | 236 ASSERT(shouldPaintSelfOutline(paintInfo.phase)); |
| 223 | 237 |
| 224 const ComputedStyle& styleToUse = m_layoutObject.styleRef(); | 238 const ComputedStyle& styleToUse = m_layoutObject.styleRef(); |
| 225 if (!styleToUse.hasOutline() || | 239 if (!styleToUse.hasOutline() || |
| 226 styleToUse.visibility() != EVisibility::Visible) | 240 styleToUse.visibility() != EVisibility::Visible) |
| 227 return; | 241 return; |
| (...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 343 int y2, | 357 int y2, |
| 344 BoxSide side, | 358 BoxSide side, |
| 345 Color color, | 359 Color color, |
| 346 EBorderStyle style, | 360 EBorderStyle style, |
| 347 int adjacentWidth1, | 361 int adjacentWidth1, |
| 348 int adjacentWidth2, | 362 int adjacentWidth2, |
| 349 bool antialias) { | 363 bool antialias) { |
| 350 int thickness; | 364 int thickness; |
| 351 int length; | 365 int length; |
| 352 if (side == BSTop || side == BSBottom) { | 366 if (side == BSTop || side == BSBottom) { |
| 353 thickness = y2 - y1; | 367 thickness = safeSubtract(y2, y1); |
| 354 length = x2 - x1; | 368 length = safeSubtract(x2, x1); |
| 355 } else { | 369 } else { |
| 356 thickness = x2 - x1; | 370 thickness = safeSubtract(x2, x1); |
| 357 length = y2 - y1; | 371 length = safeSubtract(y2, y1); |
| 358 } | 372 } |
| 359 | 373 |
| 360 // We would like this check to be an ASSERT as we don't want to draw empty | 374 // We would like this check to be an ASSERT as we don't want to draw empty |
| 361 // borders. However nothing guarantees that the following recursive calls to | 375 // borders. However nothing guarantees that the following recursive calls to |
| 362 // drawLineForBoxSide will have positive thickness and length. | 376 // drawLineForBoxSide will have positive thickness and length. |
| 363 if (length <= 0 || thickness <= 0) | 377 if (length <= 0 || thickness <= 0) |
| 364 return; | 378 return; |
| 365 | 379 |
| 366 if (style == BorderStyleDouble && thickness < 3) | 380 if (style == BorderStyleDouble && thickness < 3) |
| 367 style = BorderStyleSolid; | 381 style = BorderStyleSolid; |
| (...skipping 217 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 585 (x1 + x2 + 1) / 2, y2 - std::max(-adjacentWidth2, 0) / 2, side, color, | 599 (x1 + x2 + 1) / 2, y2 - std::max(-adjacentWidth2, 0) / 2, side, color, |
| 586 s1, adjacent1BigHalf, adjacent2BigHalf, antialias); | 600 s1, adjacent1BigHalf, adjacent2BigHalf, antialias); |
| 587 drawLineForBoxSide(graphicsContext, (x1 + x2 + 1) / 2, | 601 drawLineForBoxSide(graphicsContext, (x1 + x2 + 1) / 2, |
| 588 y1 + std::max(adjacentWidth1 + 1, 0) / 2, x2, | 602 y1 + std::max(adjacentWidth1 + 1, 0) / 2, x2, |
| 589 y2 - std::max(adjacentWidth2 + 1, 0) / 2, side, color, | 603 y2 - std::max(adjacentWidth2 + 1, 0) / 2, side, color, |
| 590 s2, adjacentWidth1 / 2, adjacentWidth2 / 2, antialias); | 604 s2, adjacentWidth1 / 2, adjacentWidth2 / 2, antialias); |
| 591 break; | 605 break; |
| 592 case BSBottom: | 606 case BSBottom: |
| 593 drawLineForBoxSide(graphicsContext, x1 + std::max(adjacentWidth1, 0) / 2, | 607 drawLineForBoxSide(graphicsContext, x1 + std::max(adjacentWidth1, 0) / 2, |
| 594 y1, x2 - std::max(adjacentWidth2, 0) / 2, | 608 y1, x2 - std::max(adjacentWidth2, 0) / 2, |
| 595 (y1 + y2 + 1) / 2, side, color, s2, adjacent1BigHalf, | 609 safeAdd(y1, safeAdd(y2, 1)) / 2, side, color, s2, |
| 596 adjacent2BigHalf, antialias); | 610 adjacent1BigHalf, adjacent2BigHalf, antialias); |
| 597 drawLineForBoxSide( | 611 drawLineForBoxSide( |
| 598 graphicsContext, x1 + std::max(-adjacentWidth1 + 1, 0) / 2, | 612 graphicsContext, x1 + std::max(-adjacentWidth1 + 1, 0) / 2, |
| 599 (y1 + y2 + 1) / 2, x2 - std::max(-adjacentWidth2 + 1, 0) / 2, y2, | 613 safeAdd(y1, safeAdd(y2, 1)) / 2, |
| 600 side, color, s1, adjacentWidth1 / 2, adjacentWidth2 / 2, antialias); | 614 x2 - std::max(-adjacentWidth2 + 1, 0) / 2, y2, side, color, s1, |
| 615 adjacentWidth1 / 2, adjacentWidth2 / 2, antialias); | |
| 601 break; | 616 break; |
| 602 case BSRight: | 617 case BSRight: |
| 603 drawLineForBoxSide( | 618 drawLineForBoxSide( |
| 604 graphicsContext, x1, y1 + std::max(adjacentWidth1, 0) / 2, | 619 graphicsContext, x1, y1 + std::max(adjacentWidth1, 0) / 2, |
| 605 (x1 + x2 + 1) / 2, y2 - std::max(adjacentWidth2, 0) / 2, side, color, | 620 (x1 + x2 + 1) / 2, y2 - std::max(adjacentWidth2, 0) / 2, side, color, |
| 606 s2, adjacent1BigHalf, adjacent2BigHalf, antialias); | 621 s2, adjacent1BigHalf, adjacent2BigHalf, antialias); |
| 607 drawLineForBoxSide(graphicsContext, (x1 + x2 + 1) / 2, | 622 drawLineForBoxSide(graphicsContext, (x1 + x2 + 1) / 2, |
| 608 y1 + std::max(-adjacentWidth1 + 1, 0) / 2, x2, | 623 y1 + std::max(-adjacentWidth1 + 1, 0) / 2, x2, |
| 609 y2 - std::max(-adjacentWidth2 + 1, 0) / 2, side, color, | 624 y2 - std::max(-adjacentWidth2 + 1, 0) / 2, side, color, |
| 610 s1, adjacentWidth1 / 2, adjacentWidth2 / 2, antialias); | 625 s1, adjacentWidth1 / 2, adjacentWidth2 / 2, antialias); |
| (...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 687 m_layoutObject.paint(info, paintOffset); | 702 m_layoutObject.paint(info, paintOffset); |
| 688 info.phase = PaintPhaseFloat; | 703 info.phase = PaintPhaseFloat; |
| 689 m_layoutObject.paint(info, paintOffset); | 704 m_layoutObject.paint(info, paintOffset); |
| 690 info.phase = PaintPhaseForeground; | 705 info.phase = PaintPhaseForeground; |
| 691 m_layoutObject.paint(info, paintOffset); | 706 m_layoutObject.paint(info, paintOffset); |
| 692 info.phase = PaintPhaseOutline; | 707 info.phase = PaintPhaseOutline; |
| 693 m_layoutObject.paint(info, paintOffset); | 708 m_layoutObject.paint(info, paintOffset); |
| 694 } | 709 } |
| 695 | 710 |
| 696 } // namespace blink | 711 } // namespace blink |
| OLD | NEW |
