Prevent integer overlow on getImageData

third_party/WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "modules/canvas2d/BaseRenderingContext2D.h"
 
 #include "bindings/core/v8/ExceptionMessages.h"
 #include "bindings/core/v8/ExceptionState.h"
 #include "bindings/core/v8/ScriptState.h"
 #include "core/css/cssom/CSSURLImageValue.h"
@@ skipping 13 matching lines @@
 #include "platform/RuntimeEnabledFeatures.h"
 #include "platform/geometry/FloatQuad.h"
 #include "platform/graphics/Color.h"
 #include "platform/graphics/ExpensiveCanvasHeuristicParameters.h"
 #include "platform/graphics/Image.h"
 #include "platform/graphics/ImageBuffer.h"
 #include "platform/graphics/StrokeData.h"
 #include "platform/graphics/paint/PaintCanvas.h"
 #include "platform/graphics/paint/PaintFlags.h"
 #include "platform/graphics/skia/SkiaUtils.h"
+#include "platform/wtf/CheckedNumeric.h"
 
 namespace blink {
 
 BaseRenderingContext2D::BaseRenderingContext2D()
     : m_clipAntialiasing(NotAntiAliased) {
   m_stateStack.push_back(CanvasRenderingContext2DState::create());
 }
 
 BaseRenderingContext2D::~BaseRenderingContext2D() {}
 
@@ skipping 1479 matching lines @@
     exceptionState.throwRangeError("Out of memory at ImageData creation");
   return result;
 }
 
 ImageData* BaseRenderingContext2D::getImageData(
     int sx,
     int sy,
     int sw,
     int sh,
     ExceptionState& exceptionState) const {
+  if (!WTF::CheckMul(sw, sh).IsValid<int>()) {
+    exceptionState.throwRangeError("Out of memory at ImageData creation");
+    return nullptr;
+  }
+
   m_usageCounters.numGetImageDataCalls++;
   m_usageCounters.areaGetImageDataCalls += sw * sh;
   if (!originClean())
     exceptionState.throwSecurityError(
         "The canvas has been tainted by cross-origin data.");
   else if (!sw || !sh)
     exceptionState.throwDOMException(
         IndexSizeError,
         String::format("The source %s is 0.", sw ? "height" : "width"));
 
   if (exceptionState.hadException())
     return nullptr;
 
   if (sw < 0) {
     sx += sw;
     sw = -sw;
   }
   if (sh < 0) {
     sy += sh;
     sh = -sh;
   }
 
+  if (!WTF::CheckAdd(sx, sw).IsValid<int>() ||
+      !WTF::CheckAdd(sy, sh).IsValid<int>()) {
+    exceptionState.throwRangeError("Out of memory at ImageData creation");
+    return nullptr;
+  }
+
   Optional<ScopedUsHistogramTimer> timer;
   if (imageBuffer() && imageBuffer()->isAccelerated()) {
     DEFINE_THREAD_SAFE_STATIC_LOCAL(
         CustomCountHistogram, scopedUsCounterGPU,
         new CustomCountHistogram("Blink.Canvas.GetImageData.GPU", 0, 10000000,
                                  50));
     timer.emplace(scopedUsCounterGPU);
   } else if (imageBuffer() && imageBuffer()->isRecording()) {
     DEFINE_THREAD_SAFE_STATIC_LOCAL(
         CustomCountHistogram, scopedUsCounterDisplayList,
         new CustomCountHistogram("Blink.Canvas.GetImageData.DisplayList", 0,
                                  10000000, 50));
     timer.emplace(scopedUsCounterDisplayList);
   } else {
     DEFINE_THREAD_SAFE_STATIC_LOCAL(
         CustomCountHistogram, scopedUsCounterCPU,
         new CustomCountHistogram("Blink.Canvas.GetImageData.CPU", 0, 10000000,
                                  50));
     timer.emplace(scopedUsCounterCPU);
   }
 
   IntRect imageDataRect(sx, sy, sw, sh);
-  DVLOG(1) << sx << ", " << sy << ", " << sw << ", " << sh;
   ImageBuffer* buffer = imageBuffer();
   if (!buffer || isContextLost()) {
     ImageData* result = ImageData::create(imageDataRect.size());
     if (!result)
       exceptionState.throwRangeError("Out of memory at ImageData creation");
     return result;
   }
 
   WTF::ArrayBufferContents contents;
   if (!buffer->getImageData(Unmultiplied, imageDataRect, contents)) {
@@ skipping 16 matching lines @@
 }
 
 void BaseRenderingContext2D::putImageData(ImageData* data,
                                           int dx,
                                           int dy,
                                           int dirtyX,
                                           int dirtyY,
                                           int dirtyWidth,
                                           int dirtyHeight,
                                           ExceptionState& exceptionState) {
+  if (!WTF::CheckMul(dirtyWidth, dirtyHeight).IsValid<int>()) {
+    return;
+  }
+
   m_usageCounters.numPutImageDataCalls++;
   m_usageCounters.areaPutImageDataCalls += dirtyWidth * dirtyHeight;
   if (data->data()->bufferBase()->isNeutered()) {
     exceptionState.throwDOMException(InvalidStateError,
                                      "The source data has been neutered.");
     return;
   }
   ImageBuffer* buffer = imageBuffer();
   if (!buffer)
     return;
@@ skipping 390 matching lines @@
       ExpensiveCanvasHeuristicParameters::ShadowFixedCost[index] *
           m_usageCounters.numBlurredShadows +
       ExpensiveCanvasHeuristicParameters::
               ShadowVariableCostPerAreaTimesShadowBlurSquared[index] *
           m_usageCounters.boundingBoxAreaTimesShadowBlurSquared;
 
   return basicCostOfDrawCalls + fillTypeAdjustment + shadowAdjustment;
 }
 
 }  // namespace blink