third_party/WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp - Issue 2797333002: Prevent integer overlow on getImageData

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp

Issue 2797333002: Prevent integer overlow on getImageData (Closed)

Patch Set: x Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: third_party/WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp

diff --git a/third_party/WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp b/third_party/WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp

index e7f9f3bfe590b13529a01cfe7c89a7f8c9b4eff0..caf941af0bd3c820cb7e8e44d68258400623dbb6 100644

--- a/third_party/WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp

+++ b/third_party/WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp

@@ -31,6 +31,7 @@

#include "platform/graphics/paint/PaintCanvas.h"

#include "platform/graphics/paint/PaintFlags.h"

#include "platform/graphics/skia/SkiaUtils.h"

+#include "platform/wtf/CheckedNumeric.h"

namespace blink {

@@ -1530,6 +1531,11 @@ ImageData* BaseRenderingContext2D::getImageData(

int sw,

int sh,

ExceptionState& exceptionState) const {

+ if (!WTF::CheckMul(sw, sh).IsValid<int>()) {

+ exceptionState.throwRangeError("Out of memory at ImageData creation");

+ return nullptr;

+ }

m_usageCounters.numGetImageDataCalls++;

m_usageCounters.areaGetImageDataCalls += sw * sh;

if (!originClean())

@@ -1552,6 +1558,12 @@ ImageData* BaseRenderingContext2D::getImageData(

sh = -sh;

}

+ if (!WTF::CheckAdd(sx, sw).IsValid<int>() ||

+ !WTF::CheckAdd(sy, sh).IsValid<int>()) {

+ exceptionState.throwRangeError("Out of memory at ImageData creation");

+ return nullptr;

+ }

Optional<ScopedUsHistogramTimer> timer;

if (imageBuffer() && imageBuffer()->isAccelerated()) {

DEFINE_THREAD_SAFE_STATIC_LOCAL(

@@ -1574,7 +1586,6 @@ ImageData* BaseRenderingContext2D::getImageData(

}

IntRect imageDataRect(sx, sy, sw, sh);

- DVLOG(1) << sx << ", " << sy << ", " << sw << ", " << sh;

ImageBuffer* buffer = imageBuffer();

if (!buffer || isContextLost()) {

ImageData* result = ImageData::create(imageDataRect.size());

@@ -1611,6 +1622,10 @@ void BaseRenderingContext2D::putImageData(ImageData* data,

int dirtyWidth,

int dirtyHeight,

ExceptionState& exceptionState) {

+ if (!WTF::CheckMul(dirtyWidth, dirtyHeight).IsValid<int>()) {

+ return;

+ }

m_usageCounters.numPutImageDataCalls++;

m_usageCounters.areaPutImageDataCalls += dirtyWidth * dirtyHeight;

if (data->data()->bufferBase()->isNeutered()) {

« no previous file with comments | « no previous file | no next file » | no next file with comments »