Chromium Code Reviews Chromium Code Reviews
Issue 2763613003:
Fix signed integer overflow in ImageData (Closed)
| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2008 Apple Inc. All rights reserved. | 2 * Copyright (C) 2008 Apple Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * | 7 * |
| 8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
| (...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 140 | 140 |
| 141 DOMArrayBufferView* ImageData::allocateAndValidateDataArray( | 141 DOMArrayBufferView* ImageData::allocateAndValidateDataArray( |
| 142 const unsigned& length, | 142 const unsigned& length, |
| 143 ImageDataStorageFormat storageFormat, | 143 ImageDataStorageFormat storageFormat, |
| 144 ExceptionState* exceptionState) { | 144 ExceptionState* exceptionState) { |
| 145 if (!length) | 145 if (!length) |
| 146 return nullptr; | 146 return nullptr; |
| 147 | 147 |
| 148 DOMArrayBufferView* dataArray = nullptr; | 148 DOMArrayBufferView* dataArray = nullptr; |
| 149 unsigned dataLength = 0; | 149 unsigned dataLength = 0; |
| 150 unsigned dataItemLength = 1; | |
| 150 switch (storageFormat) { | 151 switch (storageFormat) { |
| 151 case kUint8ClampedArrayStorageFormat: | 152 case kUint8ClampedArrayStorageFormat: |
| 152 dataArray = DOMUint8ClampedArray::createOrNull(length); | 153 dataArray = DOMUint8ClampedArray::createOrNull(length); |
| 153 dataLength = dataArray->view()->byteLength(); | |
| 154 break; | 154 break; |
| 155 case kUint16ArrayStorageFormat: | 155 case kUint16ArrayStorageFormat: |
| 156 dataArray = DOMUint16Array::createOrNull(length); | 156 dataArray = DOMUint16Array::createOrNull(length); |
| 157 dataLength = dataArray->view()->byteLength() / 2; | 157 dataItemLength = 2; |
| 158 break; | 158 break; |
| 159 case kFloat32ArrayStorageFormat: | 159 case kFloat32ArrayStorageFormat: |
| 160 dataArray = DOMFloat32Array::createOrNull(length); | 160 dataArray = DOMFloat32Array::createOrNull(length); |
| 161 dataLength = dataArray->view()->byteLength() / 4; | 161 dataItemLength = 4; |
| 162 break; | 162 break; |
| 163 default: | 163 default: |
| 164 NOTREACHED(); | 164 NOTREACHED(); |
| 165 } | 165 } |
| 166 | 166 |
| 167 if (dataArray) | |
| 168 dataLength = dataArray->view()->byteLength() / dataItemLength; | |
| 169 | |
| 167 if (!dataArray || length != dataLength) { | 170 if (!dataArray || length != dataLength) { |
| 168 if (exceptionState) | 171 if (exceptionState) |
| 169 exceptionState->throwDOMException(V8RangeError, | 172 exceptionState->throwDOMException(V8RangeError, |
| 170 "Out of memory at ImageData creation"); | 173 "Out of memory at ImageData creation"); |
| 171 return nullptr; | 174 return nullptr; |
| 172 } | 175 } |
| 173 | 176 |
| 174 return dataArray; | 177 return dataArray; |
| 175 } | 178 } |
| 176 | 179 |
| 177 ImageData* ImageData::create(const IntSize& size) { | 180 ImageData* ImageData::create(const IntSize& size) { |
| 178 if (!ImageData::validateConstructorArguments(kParamSize, &size)) | 181 if (!ImageData::validateConstructorArguments(kParamSize, &size)) |
| 179 return nullptr; | 182 return nullptr; |
| 180 DOMArrayBufferView* byteArray = allocateAndValidateDataArray( | 183 DOMArrayBufferView* byteArray = allocateAndValidateDataArray( |
| 181 4 * size.width() * size.height(), kUint8ClampedArrayStorageFormat); | 184 4 * (unsigned)(size.width()) * (unsigned)(size.height()), |
|
Justin Novosad
2017/03/20 16:03:55
Are we sure that this multiplication will never ov
zakerinasab
2017/03/20 16:06:33
Yes, this is taken care of in validateConstructorA
Justin Novosad
2017/03/20 16:18:40
As far as I can tell, validateConstructorArguments
zakerinasab
2017/03/20 16:31:26
Oh, right. Fixed now.
| |
| 182 return new ImageData(size, byteArray); | 185 kUint8ClampedArrayStorageFormat); |
| 186 return byteArray ? new ImageData(size, byteArray) : nullptr; | |
| 183 } | 187 } |
| 184 | 188 |
| 185 // This function accepts size (0, 0) and always returns the ImageData in | 189 // This function accepts size (0, 0) and always returns the ImageData in |
| 186 // "srgb" color space and "uint8" storage format. | 190 // "srgb" color space and "uint8" storage format. |
| 187 ImageData* ImageData::createForTest(const IntSize& size) { | 191 ImageData* ImageData::createForTest(const IntSize& size) { |
| 188 CheckedNumeric<unsigned> dataSize = 4; | 192 CheckedNumeric<unsigned> dataSize = 4; |
| 189 dataSize *= size.width(); | 193 dataSize *= size.width(); |
| 190 dataSize *= size.height(); | 194 dataSize *= size.height(); |
| 191 if (!dataSize.IsValid()) | 195 if (!dataSize.IsValid()) |
| 192 return nullptr; | 196 return nullptr; |
| (...skipping 225 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 418 SECURITY_CHECK(static_cast<unsigned>(size.width() * size.height() * 4) <= | 422 SECURITY_CHECK(static_cast<unsigned>(size.width() * size.height() * 4) <= |
| 419 m_dataF32->length()); | 423 m_dataF32->length()); |
| 420 break; | 424 break; |
| 421 | 425 |
| 422 default: | 426 default: |
| 423 NOTREACHED(); | 427 NOTREACHED(); |
| 424 } | 428 } |
| 425 } | 429 } |
| 426 | 430 |
| 427 } // namespace blink | 431 } // namespace blink |
| OLD | NEW |
