Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(332)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/html/ImageData.cpp

Issue 2528243002: Fix silent truncations when extracting values from CheckedNumeric (Closed)
Patch Set: compile cleanup and fix Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« components/webcrypto/algorithms/aes_cbc.cc ('K') | « sandbox/win/src/win_utils.cc ('k') | third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2008 Apple Inc. All rights reserved. 2 * Copyright (C) 2008 Apple Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 7 *
8 * 1. Redistributions of source code must retain the above copyright 8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer. 9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright 10 * 2. Redistributions in binary form must reproduce the above copyright
(...skipping 21 matching lines...) Expand all
32 #include "bindings/core/v8/V8Uint8ClampedArray.h" 32 #include "bindings/core/v8/V8Uint8ClampedArray.h"
33 #include "core/dom/ExceptionCode.h" 33 #include "core/dom/ExceptionCode.h"
34 #include "core/frame/ImageBitmap.h" 34 #include "core/frame/ImageBitmap.h"
35 #include "core/imagebitmap/ImageBitmapOptions.h" 35 #include "core/imagebitmap/ImageBitmapOptions.h"
36 #include "platform/RuntimeEnabledFeatures.h" 36 #include "platform/RuntimeEnabledFeatures.h"
37 #include "wtf/CheckedNumeric.h" 37 #include "wtf/CheckedNumeric.h"
38 38
39 namespace blink { 39 namespace blink {
40 40
41 ImageData* ImageData::create(const IntSize& size) { 41 ImageData* ImageData::create(const IntSize& size) {
42 CheckedNumeric<int> dataSize = 4; 42 CheckedNumeric<unsigned> dataSize = 4;
43 dataSize *= size.width(); 43 dataSize *= size.width();
44 dataSize *= size.height(); 44 dataSize *= size.height();
45 if (!dataSize.IsValid() || dataSize.ValueOrDie() < 0) 45 if (!dataSize.IsValid())
46 return nullptr; 46 return nullptr;
47 47
48 DOMUint8ClampedArray* byteArray = 48 DOMUint8ClampedArray* byteArray =
49 DOMUint8ClampedArray::createOrNull(dataSize.ValueOrDie()); 49 DOMUint8ClampedArray::createOrNull(dataSize.ValueOrDie());
50 if (!byteArray) 50 if (!byteArray)
51 return nullptr; 51 return nullptr;
52 52
53 return new ImageData(size, byteArray); 53 return new ImageData(size, byteArray);
54 } 54 }
55 55
56 ImageData* ImageData::create(const IntSize& size, 56 ImageData* ImageData::create(const IntSize& size,
57 DOMUint8ClampedArray* byteArray) { 57 DOMUint8ClampedArray* byteArray) {
58 CheckedNumeric<int> dataSize = 4; 58 CheckedNumeric<unsigned> dataSize = 4;
59 dataSize *= size.width(); 59 dataSize *= size.width();
60 dataSize *= size.height(); 60 dataSize *= size.height();
61 if (!dataSize.IsValid()) 61 if (!dataSize.IsValid())
62 return nullptr; 62 return nullptr;
63 63
64 if (dataSize.ValueOrDie() < 0 || 64 if (!dataSize.IsValid() || dataSize.ValueOrDie() > byteArray->length())
65 static_cast<unsigned>(dataSize.ValueOrDie()) > byteArray->length())
66 return nullptr; 65 return nullptr;
67 66
68 return new ImageData(size, byteArray); 67 return new ImageData(size, byteArray);
69 } 68 }
70 69
71 ImageData* ImageData::create(unsigned width, 70 ImageData* ImageData::create(unsigned width,
72 unsigned height, 71 unsigned height,
73 ExceptionState& exceptionState) { 72 ExceptionState& exceptionState) {
74 if (!width || !height) { 73 if (!width || !height) {
75 exceptionState.throwDOMException( 74 exceptionState.throwDOMException(
(...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after
214 213
215 ImageData::ImageData(const IntSize& size, DOMUint8ClampedArray* byteArray) 214 ImageData::ImageData(const IntSize& size, DOMUint8ClampedArray* byteArray)
216 : m_size(size), m_data(byteArray) { 215 : m_size(size), m_data(byteArray) {
217 DCHECK_GE(size.width(), 0); 216 DCHECK_GE(size.width(), 0);
218 DCHECK_GE(size.height(), 0); 217 DCHECK_GE(size.height(), 0);
219 SECURITY_CHECK(static_cast<unsigned>(size.width() * size.height() * 4) <= 218 SECURITY_CHECK(static_cast<unsigned>(size.width() * size.height() * 4) <=
220 m_data->length()); 219 m_data->length());
221 } 220 }
222 221
223 } // namespace blink 222 } // namespace blink
OLDNEW
« components/webcrypto/algorithms/aes_cbc.cc ('K') | « sandbox/win/src/win_utils.cc ('k') | third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698