Merge 87171

Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp

Index: Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp
===================================================================
--- Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp	(revision 88846)
+++ Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp	(working copy)
@@ -1632,6 +1632,10 @@
     if (scaledSize.height() < 1)
         scaledSize.setHeight(1);
 
+    float area = 4.0f * scaledSize.width() * scaledSize.height();
+    if (area > static_cast<float>(std::numeric_limits<int>::max()))
+        return 0;
+
     return createEmptyImageData(scaledSize);
 }
 
@@ -1668,7 +1672,12 @@
     ImageBuffer* buffer = canvas()->buffer();
     if (!buffer)
         return createEmptyImageData(scaledRect.size());
-    return ImageData::create(scaledRect.size(), buffer->getUnmultipliedImageData(scaledRect));
+
+    RefPtr<ByteArray> byteArray = buffer->getUnmultipliedImageData(scaledRect);
+    if (!byteArray)
+        return 0;
+
+    return ImageData::create(scaledRect.size(), byteArray.release());
 }
 
 void CanvasRenderingContext2D::putImageData(ImageData* data, float dx, float dy, ExceptionCode& ec)