Title: [209207] branches/safari-602-branch
- Revision
- 209207
- Author
- matthew_han...@apple.com
- Date
- 2016-12-01 14:23:47 -0800 (Thu, 01 Dec 2016)
Log Message
Merge r208628. rdar://problem/29277337
Modified Paths
Added Paths
Diff
Modified: branches/safari-602-branch/LayoutTests/ChangeLog (209206 => 209207)
--- branches/safari-602-branch/LayoutTests/ChangeLog 2016-12-01 22:14:09 UTC (rev 209206)
+++ branches/safari-602-branch/LayoutTests/ChangeLog 2016-12-01 22:23:47 UTC (rev 209207)
@@ -1,3 +1,18 @@
+2016-12-01 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r208628. rdar://problem/29277337
+
+ 2016-11-11 Brent Fulgham <bfulg...@apple.com>
+
+ Neutered ArrayBuffers are not properly serialized
+ https://bugs.webkit.org/show_bug.cgi?id=164647
+ <rdar://problem/29213490>
+
+ Reviewed by David Kilzer.
+
+ * fast/canvas/neutered-imagedata-expected.txt: Added.
+ * fast/canvas/neutered-imagedata.html: Added.
+
2016-11-14 Matthew Hanson <matthew_han...@apple.com>
Merge r208691. rdar://problem/29250304
Added: branches/safari-602-branch/LayoutTests/fast/canvas/neutered-imagedata-expected.txt (0 => 209207)
--- branches/safari-602-branch/LayoutTests/fast/canvas/neutered-imagedata-expected.txt (rev 0)
+++ branches/safari-602-branch/LayoutTests/fast/canvas/neutered-imagedata-expected.txt 2016-12-01 22:23:47 UTC (rev 209207)
@@ -0,0 +1,10 @@
+Tests that serialized image buffers account for neutered state.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Found only zeros.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-602-branch/LayoutTests/fast/canvas/neutered-imagedata.html (0 => 209207)
--- branches/safari-602-branch/LayoutTests/fast/canvas/neutered-imagedata.html (rev 0)
+++ branches/safari-602-branch/LayoutTests/fast/canvas/neutered-imagedata.html 2016-12-01 22:23:47 UTC (rev 209207)
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script src=""
+<script>
+description('Tests that serialized image buffers account for neutered state.');
+
+window.jsTestIsAsync = true;
+
+function checkState(state) {
+ var elementCount = state.width * state.height;
+
+ for (var i = 0; i < elementCount; ++i) {
+ if (state.data[i] != 0) {
+ testFailed("Found non-zero data.");
+ finishJSTest();
+ return;
+ }
+ }
+
+ testPassed("Found only zeros.");
+ finishJSTest();
+}
+
+function runTest() {
+ if (window.testRunner) {
+ testRunner.dumpAsText(true);
+ testRunner.waitUntilDone();
+ }
+
+ var id = new ImageData(1, 256);
+
+ // This will neuter the data buffer.
+ postMessage("", "*", [id.data.buffer]);
+
+ history.pushState(id, "");
+
+ setTimeout(function() {
+ checkState(history.state);
+ }, 0);
+}
+</script>
+</head>
+<body _onload_="runTest()">
+</body>
+</html>
Modified: branches/safari-602-branch/Source/WebCore/ChangeLog (209206 => 209207)
--- branches/safari-602-branch/Source/WebCore/ChangeLog 2016-12-01 22:14:09 UTC (rev 209206)
+++ branches/safari-602-branch/Source/WebCore/ChangeLog 2016-12-01 22:23:47 UTC (rev 209207)
@@ -1,3 +1,22 @@
+2016-12-01 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r208628. rdar://problem/29277337
+
+ 2016-11-11 Brent Fulgham <bfulg...@apple.com>
+
+ Neutered ArrayBuffers are not properly serialized
+ https://bugs.webkit.org/show_bug.cgi?id=164647
+ <rdar://problem/29213490>
+
+ Reviewed by David Kilzer.
+
+ Correct binding logic to handle ImageBuffers being deserialized from neutered ArrayBuffers.
+
+ Test: fast/canvas/neutered-imagedata.html
+
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::CloneDeserializer::readTerminal):
+
2016-11-28 Matthew Hanson <matthew_han...@apple.com>
Merge r209045. rdar://problem/29404778
Modified: branches/safari-602-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp (209206 => 209207)
--- branches/safari-602-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2016-12-01 22:14:09 UTC (rev 209206)
+++ branches/safari-602-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2016-12-01 22:23:47 UTC (rev 209207)
@@ -2269,7 +2269,7 @@
uint32_t length;
if (!read(length))
return JSValue();
- if (m_end < ((uint8_t*)0) + length || m_ptr > m_end - length) {
+ if (m_end - m_ptr < length) {
fail();
return JSValue();
}
@@ -2277,8 +2277,17 @@
m_ptr += length;
return jsNull();
}
- RefPtr<ImageData> result = ImageData::create(IntSize(width, height));
- memcpy(result->data()->data(), m_ptr, length);
+ IntSize imageSize(width, height);
+ RELEASE_ASSERT(!length || (imageSize.area() * 4).unsafeGet() <= length);
+ RefPtr<ImageData> result = ImageData::create(imageSize);
+ if (!result) {
+ fail();
+ return JSValue();
+ }
+ if (length)
+ memcpy(result->data()->data(), m_ptr, length);
+ else
+ result->data()->zeroFill();
m_ptr += length;
return getJSValue(result.get());
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes