Prevent bad casting in ImageBitmap when calling ArrayBuffer::createOrNull

third_party/WebKit/Source/core/frame/ImageBitmap.cpp

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "core/frame/ImageBitmap.h"
 
 #include "core/html/HTMLCanvasElement.h"
 #include "core/html/HTMLVideoElement.h"
 #include "core/html/ImageData.h"
 #include "platform/graphics/skia/SkiaUtils.h"
@@ skipping 107 matching lines @@
     return false;
   totalBytes = options.resizeWidth;
   totalBytes *= options.resizeHeight;
   totalBytes *= options.bytesPerPixel;
   if (!totalBytes.IsValid())
     return true;
 
   return false;
 }
 
+bool arrayBufferCreationHasOverflow(unsigned width, unsigned height) {
+  CheckedNumeric<unsigned> numElement = width;
+  numElement *= height;

[Justin Novosad, 2016/11/11 14:40:29]

It'a a bit wasteful that this product is always re-computed after the check. 
You should just use CheckedNumeric in-line IMHO

+  if (!numElement.IsValid())
+    return true;
+  return false;
+}
+
 }  // namespace
 
 static PassRefPtr<Uint8Array> copySkImageData(SkImage* input,
                                               const SkImageInfo& info) {
+  if (arrayBufferCreationHasOverflow(static_cast<unsigned>(input->width()),
+                                     static_cast<unsigned>(input->height())))
+    return nullptr;
   // The function dstBufferSizeHasOverflow() is being called at the beginning of
   // each ImageBitmap() constructor, which makes sure that doing
   // width * height * bytesPerPixel will never overflow size_t.
   size_t width = static_cast<size_t>(input->width());

[Justin Novosad, 2016/11/11 14:40:29]

Here width is size_t, but the check was done using unsigned. So you might be
getting false rejections from that test.

   RefPtr<ArrayBuffer> dstBuffer =
       ArrayBuffer::createOrNull(width * input->height(), info.bytesPerPixel());
   if (!dstBuffer)
     return nullptr;
   RefPtr<Uint8Array> dstPixels =
       Uint8Array::create(dstBuffer, 0, dstBuffer->byteLength());
   input->readPixels(info, dstPixels->data(), width * info.bytesPerPixel(), 0,
                     0);
   return dstPixels;
 }
@@ skipping 133 matching lines @@
     ImageDecoder::ColorSpaceOption colorSpaceOp =
         ImageDecoder::ColorSpaceApplied) {
   ASSERT(image);
   IntRect imgRect(IntPoint(), IntSize(image->width(), image->height()));
   const IntRect srcRect = intersection(imgRect, parsedOptions.cropRect);
 
   // In the case when cropRect doesn't intersect the source image and it
   // requires a umpremul image We immediately return a transparent black image
   // with cropRect.size()
   if (srcRect.isEmpty() && !parsedOptions.premultiplyAlpha) {
+    if (arrayBufferCreationHasOverflow(parsedOptions.resizeWidth,
+                                       parsedOptions.resizeHeight))
+      return nullptr;
     SkImageInfo info =
         SkImageInfo::Make(parsedOptions.resizeWidth, parsedOptions.resizeHeight,
                           kN32_SkColorType, kUnpremul_SkAlphaType);
     RefPtr<ArrayBuffer> dstBuffer = ArrayBuffer::createOrNull(
         static_cast<size_t>(info.width()) * info.height(),
         info.bytesPerPixel());
     if (!dstBuffer)
       return nullptr;
     RefPtr<Uint8Array> dstPixels =
         Uint8Array::create(dstBuffer, 0, dstBuffer->byteLength());
@@ skipping 208 matching lines @@
   if (!m_image)
     return;
   m_image->setPremultiplied(isImageBitmapPremultiplied);
   m_image->setOriginClean(isImageBitmapOriginClean);
 }
 
 static sk_sp<SkImage> scaleSkImage(sk_sp<SkImage> skImage,
                                    unsigned resizeWidth,
                                    unsigned resizeHeight,
                                    SkFilterQuality resizeQuality) {
+  if (arrayBufferCreationHasOverflow(resizeWidth, resizeHeight))
+    return nullptr;
   SkImageInfo resizedInfo = SkImageInfo::Make(
       resizeWidth, resizeHeight, kN32_SkColorType, kUnpremul_SkAlphaType);
   RefPtr<ArrayBuffer> dstBuffer = ArrayBuffer::createOrNull(
       resizeWidth * resizeHeight, resizedInfo.bytesPerPixel());
   if (!dstBuffer)
     return nullptr;
   RefPtr<Uint8Array> resizedPixels =
       Uint8Array::create(dstBuffer, 0, dstBuffer->byteLength());
   SkPixmap pixmap(
       resizedInfo, resizedPixels->data(),
@@ skipping 32 matching lines @@
     sk_sp<SkImage> skImage;
     if (parsedOptions.cropRect == IntRect(IntPoint(), data->size())) {
       swizzleImageData(srcAddr, data->size().height(), srcPixelBytesPerRow,
                        parsedOptions.flipY);
       skImage =
           SkImage::MakeRasterCopy(SkPixmap(info, srcAddr, dstPixelBytesPerRow));
       // restore the original ImageData
       swizzleImageData(srcAddr, data->size().height(), srcPixelBytesPerRow,
                        parsedOptions.flipY);
     } else {
+      if (arrayBufferCreationHasOverflow(
+              static_cast<unsigned>(parsedOptions.cropRect.width()),
+              static_cast<unsigned>(parsedOptions.cropRect.height())))
+        return;
       RefPtr<ArrayBuffer> dstBuffer = ArrayBuffer::createOrNull(
           static_cast<size_t>(parsedOptions.cropRect.height()) *
               parsedOptions.cropRect.width(),
           bytesPerPixel);
       if (!dstBuffer)
         return;
       RefPtr<Uint8Array> copiedDataBuffer =
           Uint8Array::create(dstBuffer, 0, dstBuffer->byteLength());
       if (!srcRect.isEmpty()) {
         IntPoint srcPoint = IntPoint(
@@ skipping 278 matching lines @@
 void ImageBitmap::adjustDrawRects(FloatRect* srcRect,
                                   FloatRect* dstRect) const {}
 
 FloatSize ImageBitmap::elementSize(const FloatSize&) const {
   return FloatSize(width(), height());
 }
 
 DEFINE_TRACE(ImageBitmap) {}
 
 }  // namespace blink