Diff
Modified: trunk/LayoutTests/ChangeLog (87170 => 87171)
--- trunk/LayoutTests/ChangeLog 2011-05-24 17:53:49 UTC (rev 87170)
+++ trunk/LayoutTests/ChangeLog 2011-05-24 18:04:36 UTC (rev 87171)
@@ -1,3 +1,13 @@
+2011-05-24 Matthew Delaney <[email protected]>
+
+ Reviewed by Simon Fraser.
+
+ Clamp coordinates to integers for canvas create/getImageData routines
+ https://bugs.webkit.org/show_bug.cgi?id=61135
+
+ * fast/canvas/canvas-getImageData-largeNonintegralDimensions-expected.txt: Added.
+ * fast/canvas/canvas-getImageData-largeNonintegralDimensions.html: Added.
+
2011-05-24 Tony Chang <[email protected]>
Reviewed by James Robinson.
Added: trunk/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions-expected.txt (0 => 87171)
--- trunk/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions-expected.txt 2011-05-24 18:04:36 UTC (rev 87171)
@@ -0,0 +1 @@
+PASS!
Added: trunk/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions.html (0 => 87171)
--- trunk/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions.html (rev 0)
+++ trunk/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions.html 2011-05-24 18:04:36 UTC (rev 87171)
@@ -0,0 +1,11 @@
+<html>
+PASS!
+<script>
+if (window.layoutTestController)
+ window.layoutTestController.dumpAsText();
+
+var canvas = document.createElement("canvas");
+var ctx = canvas.getContext("2d");
+ctx.getImageData(100.5, 2147483647.5, -2048.5, -2048.5);
+</script>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (87170 => 87171)
--- trunk/Source/WebCore/ChangeLog 2011-05-24 17:53:49 UTC (rev 87170)
+++ trunk/Source/WebCore/ChangeLog 2011-05-24 18:04:36 UTC (rev 87171)
@@ -1,3 +1,20 @@
+2011-05-24 Matthew Delaney <[email protected]>
+
+ Reviewed by Simon Fraser.
+
+ Clamp coordinates to integers for canvas create/getImageData routines
+ https://bugs.webkit.org/show_bug.cgi?id=61135
+
+ Test: fast/canvas/canvas-getImageData-largeNonintegralDimensions.html
+
+ * html/HTMLCanvasElement.cpp:
+ (WebCore::HTMLCanvasElement::convertLogicalToDevice): clamp to ints
+ * html/canvas/CanvasRenderingContext2D.cpp:
+ (WebCore::CanvasRenderingContext2D::createImageData):
+ (WebCore::CanvasRenderingContext2D::getImageData):
+ * platform/graphics/cg/ImageBufferDataCG.cpp:
+ (WebCore::ImageBufferData::getData):
+
2011-05-24 Robin Dunn <[email protected]>
Reviewed by Kevin Ollivier.
Modified: trunk/Source/WebCore/html/HTMLCanvasElement.cpp (87170 => 87171)
--- trunk/Source/WebCore/html/HTMLCanvasElement.cpp 2011-05-24 17:53:49 UTC (rev 87170)
+++ trunk/Source/WebCore/html/HTMLCanvasElement.cpp 2011-05-24 18:04:36 UTC (rev 87171)
@@ -373,17 +373,21 @@
IntRect HTMLCanvasElement::convertLogicalToDevice(const FloatRect& logicalRect) const
{
- float left = floorf(logicalRect.x() * m_pageScaleFactor);
- float top = floorf(logicalRect.y() * m_pageScaleFactor);
- float right = ceilf(logicalRect.maxX() * m_pageScaleFactor);
- float bottom = ceilf(logicalRect.maxY() * m_pageScaleFactor);
-
+ // Prevent under/overflow by ensuring the rect's bounds stay within integer-expressible range
+ int left = clampToInteger(floorf(logicalRect.x() * m_pageScaleFactor));
+ int top = clampToInteger(floorf(logicalRect.y() * m_pageScaleFactor));
+ int right = clampToInteger(ceilf(logicalRect.maxX() * m_pageScaleFactor));
+ int bottom = clampToInteger(ceilf(logicalRect.maxY() * m_pageScaleFactor));
+
return IntRect(IntPoint(left, top), convertToValidDeviceSize(right - left, bottom - top));
}
IntSize HTMLCanvasElement::convertLogicalToDevice(const FloatSize& logicalSize) const
{
- return convertToValidDeviceSize(logicalSize.width() * m_pageScaleFactor, logicalSize.height() * m_pageScaleFactor);
+ // Prevent overflow by ensuring the rect's bounds stay within integer-expressible range
+ float width = clampToInteger(ceilf(logicalSize.width() * m_pageScaleFactor));
+ float height = clampToInteger(ceilf(logicalSize.height() * m_pageScaleFactor));
+ return convertToValidDeviceSize(width, height);
}
IntSize HTMLCanvasElement::convertToValidDeviceSize(float width, float height) const
Modified: trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp (87170 => 87171)
--- trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp 2011-05-24 17:53:49 UTC (rev 87170)
+++ trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp 2011-05-24 18:04:36 UTC (rev 87171)
@@ -1656,6 +1656,10 @@
if (scaledSize.height() < 1)
scaledSize.setHeight(1);
+ float area = 4.0f * scaledSize.width() * scaledSize.height();
+ if (area > static_cast<float>(std::numeric_limits<int>::max()))
+ return 0;
+
return createEmptyImageData(scaledSize);
}
@@ -1692,7 +1696,12 @@
ImageBuffer* buffer = canvas()->buffer();
if (!buffer)
return createEmptyImageData(scaledRect.size());
- return ImageData::create(scaledRect.size(), buffer->getUnmultipliedImageData(scaledRect));
+
+ RefPtr<ByteArray> byteArray = buffer->getUnmultipliedImageData(scaledRect);
+ if (!byteArray)
+ return 0;
+
+ return ImageData::create(scaledRect.size(), byteArray.release());
}
void CanvasRenderingContext2D::putImageData(ImageData* data, float dx, float dy, ExceptionCode& ec)
Modified: trunk/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp (87170 => 87171)
--- trunk/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp 2011-05-24 17:53:49 UTC (rev 87170)
+++ trunk/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp 2011-05-24 18:04:36 UTC (rev 87171)
@@ -110,6 +110,10 @@
PassRefPtr<ByteArray> ImageBufferData::getData(const IntRect& rect, const IntSize& size, bool accelerateRendering, bool unmultiplied) const
{
+ float area = 4.0f * rect.width() * rect.height();
+ if (area > static_cast<float>(std::numeric_limits<int>::max()))
+ return 0;
+
RefPtr<ByteArray> result = ByteArray::create(rect.width() * rect.height() * 4);
unsigned char* data = ""
