Index: third_party/WebKit/Source/core/frame/ImageBitmap.cpp |
diff --git a/third_party/WebKit/Source/core/frame/ImageBitmap.cpp b/third_party/WebKit/Source/core/frame/ImageBitmap.cpp |
index ea65053dcc9cc3ede316e1038d221664f00deac9..a3bf7c6a9cdaf60d7f4ac8b26b6280ea42301553 100644 |
--- a/third_party/WebKit/Source/core/frame/ImageBitmap.cpp |
+++ b/third_party/WebKit/Source/core/frame/ImageBitmap.cpp |
@@ -125,10 +125,21 @@ bool dstBufferSizeHasOverflow(ParsedOptions options) { |
return false; |
} |
+bool arrayBufferCreationHasOverflow(unsigned width, unsigned height) { |
+ CheckedNumeric<unsigned> numElement = width; |
+ numElement *= height; |
Justin Novosad
2016/11/11 14:40:29
It'a a bit wasteful that this product is always re
|
+ if (!numElement.IsValid()) |
+ return true; |
+ return false; |
+} |
+ |
} // namespace |
static PassRefPtr<Uint8Array> copySkImageData(SkImage* input, |
const SkImageInfo& info) { |
+ if (arrayBufferCreationHasOverflow(static_cast<unsigned>(input->width()), |
+ static_cast<unsigned>(input->height()))) |
+ return nullptr; |
// The function dstBufferSizeHasOverflow() is being called at the beginning of |
// each ImageBitmap() constructor, which makes sure that doing |
// width * height * bytesPerPixel will never overflow size_t. |
@@ -286,6 +297,9 @@ static PassRefPtr<StaticBitmapImage> cropImage( |
// requires a umpremul image We immediately return a transparent black image |
// with cropRect.size() |
if (srcRect.isEmpty() && !parsedOptions.premultiplyAlpha) { |
+ if (arrayBufferCreationHasOverflow(parsedOptions.resizeWidth, |
+ parsedOptions.resizeHeight)) |
+ return nullptr; |
SkImageInfo info = |
SkImageInfo::Make(parsedOptions.resizeWidth, parsedOptions.resizeHeight, |
kN32_SkColorType, kUnpremul_SkAlphaType); |
@@ -514,6 +528,8 @@ static sk_sp<SkImage> scaleSkImage(sk_sp<SkImage> skImage, |
unsigned resizeWidth, |
unsigned resizeHeight, |
SkFilterQuality resizeQuality) { |
+ if (arrayBufferCreationHasOverflow(resizeWidth, resizeHeight)) |
+ return nullptr; |
SkImageInfo resizedInfo = SkImageInfo::Make( |
resizeWidth, resizeHeight, kN32_SkColorType, kUnpremul_SkAlphaType); |
RefPtr<ArrayBuffer> dstBuffer = ArrayBuffer::createOrNull( |
@@ -566,6 +582,10 @@ ImageBitmap::ImageBitmap(ImageData* data, |
swizzleImageData(srcAddr, data->size().height(), srcPixelBytesPerRow, |
parsedOptions.flipY); |
} else { |
+ if (arrayBufferCreationHasOverflow( |
+ static_cast<unsigned>(parsedOptions.cropRect.width()), |
+ static_cast<unsigned>(parsedOptions.cropRect.height()))) |
+ return; |
RefPtr<ArrayBuffer> dstBuffer = ArrayBuffer::createOrNull( |
static_cast<size_t>(parsedOptions.cropRect.height()) * |
parsedOptions.cropRect.width(), |