third_party/WebKit/Source/core/frame/ImageBitmap.cpp - Issue 2500493002: Prevent bad casting in ImageBitmap when calling ArrayBuffer::createOrNull

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/core/frame/ImageBitmap.cpp

Issue 2500493002: Prevent bad casting in ImageBitmap when calling ArrayBuffer::createOrNull (Closed)

Patch Set: Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: third_party/WebKit/Source/core/frame/ImageBitmap.cpp

diff --git a/third_party/WebKit/Source/core/frame/ImageBitmap.cpp b/third_party/WebKit/Source/core/frame/ImageBitmap.cpp

index ea65053dcc9cc3ede316e1038d221664f00deac9..a3bf7c6a9cdaf60d7f4ac8b26b6280ea42301553 100644

--- a/third_party/WebKit/Source/core/frame/ImageBitmap.cpp

+++ b/third_party/WebKit/Source/core/frame/ImageBitmap.cpp

@@ -125,10 +125,21 @@ bool dstBufferSizeHasOverflow(ParsedOptions options) {

return false;

}

+bool arrayBufferCreationHasOverflow(unsigned width, unsigned height) {

+ CheckedNumeric<unsigned> numElement = width;

+ numElement *= height;

Justin Novosad 2016/11/11 14:40:29 It'a a bit wasteful that this product is always re

+ if (!numElement.IsValid())

+ return true;

+ return false;

} // namespace

static PassRefPtr<Uint8Array> copySkImageData(SkImage* input,

const SkImageInfo& info) {

+ if (arrayBufferCreationHasOverflow(static_cast<unsigned>(input->width()),

+ static_cast<unsigned>(input->height())))

+ return nullptr;

// The function dstBufferSizeHasOverflow() is being called at the beginning of

// each ImageBitmap() constructor, which makes sure that doing

// width * height * bytesPerPixel will never overflow size_t.

@@ -286,6 +297,9 @@ static PassRefPtr<StaticBitmapImage> cropImage(

// requires a umpremul image We immediately return a transparent black image

// with cropRect.size()

if (srcRect.isEmpty() && !parsedOptions.premultiplyAlpha) {

+ if (arrayBufferCreationHasOverflow(parsedOptions.resizeWidth,

+ parsedOptions.resizeHeight))

+ return nullptr;

SkImageInfo info =

SkImageInfo::Make(parsedOptions.resizeWidth, parsedOptions.resizeHeight,

kN32_SkColorType, kUnpremul_SkAlphaType);

@@ -514,6 +528,8 @@ static sk_sp<SkImage> scaleSkImage(sk_sp<SkImage> skImage,

unsigned resizeWidth,

unsigned resizeHeight,

SkFilterQuality resizeQuality) {

+ if (arrayBufferCreationHasOverflow(resizeWidth, resizeHeight))

+ return nullptr;

SkImageInfo resizedInfo = SkImageInfo::Make(

resizeWidth, resizeHeight, kN32_SkColorType, kUnpremul_SkAlphaType);

RefPtr<ArrayBuffer> dstBuffer = ArrayBuffer::createOrNull(

@@ -566,6 +582,10 @@ ImageBitmap::ImageBitmap(ImageData* data,

swizzleImageData(srcAddr, data->size().height(), srcPixelBytesPerRow,

parsedOptions.flipY);

} else {

+ if (arrayBufferCreationHasOverflow(

+ static_cast<unsigned>(parsedOptions.cropRect.width()),

+ static_cast<unsigned>(parsedOptions.cropRect.height())))

+ return;

RefPtr<ArrayBuffer> dstBuffer = ArrayBuffer::createOrNull(

static_cast<size_t>(parsedOptions.cropRect.height()) *

parsedOptions.cropRect.width(),

« no previous file with comments | « no previous file | no next file » | no next file with comments »