Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(390)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/html/ImageData.cpp

Issue 2763613003: Fix signed integer overflow in ImageData (Closed)
Patch Set: Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/html/ImageData.cpp
diff --git a/third_party/WebKit/Source/core/html/ImageData.cpp b/third_party/WebKit/Source/core/html/ImageData.cpp
index ffa7a11b3321b374ba458975db719add28c0ff2a..b32cafa4bffedb27782910eed2dd8dc0fcb6cd6c 100644
--- a/third_party/WebKit/Source/core/html/ImageData.cpp
+++ b/third_party/WebKit/Source/core/html/ImageData.cpp
@@ -147,23 +147,26 @@ DOMArrayBufferView* ImageData::allocateAndValidateDataArray(
DOMArrayBufferView* dataArray = nullptr;
unsigned dataLength = 0;
+ unsigned dataItemLength = 1;
switch (storageFormat) {
case kUint8ClampedArrayStorageFormat:
dataArray = DOMUint8ClampedArray::createOrNull(length);
- dataLength = dataArray->view()->byteLength();
break;
case kUint16ArrayStorageFormat:
dataArray = DOMUint16Array::createOrNull(length);
- dataLength = dataArray->view()->byteLength() / 2;
+ dataItemLength = 2;
break;
case kFloat32ArrayStorageFormat:
dataArray = DOMFloat32Array::createOrNull(length);
- dataLength = dataArray->view()->byteLength() / 4;
+ dataItemLength = 4;
break;
default:
NOTREACHED();
}
+ if (dataArray)
+ dataLength = dataArray->view()->byteLength() / dataItemLength;
+
if (!dataArray || length != dataLength) {
if (exceptionState)
exceptionState->throwDOMException(V8RangeError,
@@ -178,8 +181,9 @@ ImageData* ImageData::create(const IntSize& size) {
if (!ImageData::validateConstructorArguments(kParamSize, &size))
return nullptr;
DOMArrayBufferView* byteArray = allocateAndValidateDataArray(
- 4 * size.width() * size.height(), kUint8ClampedArrayStorageFormat);
- return new ImageData(size, byteArray);
+ 4 * (unsigned)(size.width()) * (unsigned)(size.height()),
Justin Novosad 2017/03/20 16:03:55 Are we sure that this multiplication will never ov
zakerinasab 2017/03/20 16:06:33 Yes, this is taken care of in validateConstructorA
Justin Novosad 2017/03/20 16:18:40 As far as I can tell, validateConstructorArguments
zakerinasab 2017/03/20 16:31:26 Oh, right. Fixed now.
+ kUint8ClampedArrayStorageFormat);
+ return byteArray ? new ImageData(size, byteArray) : nullptr;
}
// This function accepts size (0, 0) and always returns the ImageData in
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698