Title: [88849] branches/chromium/742
- Revision
- 88849
- Author
- cev...@google.com
- Date
- 2011-06-14 13:41:34 -0700 (Tue, 14 Jun 2011)
Log Message
Merge 87171
BUG=83270
Review URL: http://codereview.chromium.org/7111053
Modified Paths
Added Paths
Diff
Copied: branches/chromium/742/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions-expected.txt (from rev 87171, trunk/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions-expected.txt) (0 => 88849)
--- branches/chromium/742/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions-expected.txt (rev 0)
+++ branches/chromium/742/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions-expected.txt 2011-06-14 20:41:34 UTC (rev 88849)
@@ -0,0 +1 @@
+PASS!
Copied: branches/chromium/742/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions.html (from rev 87171, trunk/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions.html) (0 => 88849)
--- branches/chromium/742/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions.html (rev 0)
+++ branches/chromium/742/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions.html 2011-06-14 20:41:34 UTC (rev 88849)
@@ -0,0 +1,11 @@
+<html>
+PASS!
+<script>
+if (window.layoutTestController)
+ window.layoutTestController.dumpAsText();
+
+var canvas = document.createElement("canvas");
+var ctx = canvas.getContext("2d");
+ctx.getImageData(100.5, 2147483647.5, -2048.5, -2048.5);
+</script>
+</html>
Modified: branches/chromium/742/Source/WebCore/html/HTMLCanvasElement.cpp (88848 => 88849)
--- branches/chromium/742/Source/WebCore/html/HTMLCanvasElement.cpp 2011-06-14 20:36:57 UTC (rev 88848)
+++ branches/chromium/742/Source/WebCore/html/HTMLCanvasElement.cpp 2011-06-14 20:41:34 UTC (rev 88849)
@@ -371,17 +371,21 @@
IntRect HTMLCanvasElement::convertLogicalToDevice(const FloatRect& logicalRect) const
{
- float left = floorf(logicalRect.x() * m_pageScaleFactor);
- float top = floorf(logicalRect.y() * m_pageScaleFactor);
- float right = ceilf(logicalRect.maxX() * m_pageScaleFactor);
- float bottom = ceilf(logicalRect.maxY() * m_pageScaleFactor);
-
+ // Prevent under/overflow by ensuring the rect's bounds stay within integer-expressible range
+ int left = clampToInteger(floorf(logicalRect.x() * m_pageScaleFactor));
+ int top = clampToInteger(floorf(logicalRect.y() * m_pageScaleFactor));
+ int right = clampToInteger(ceilf(logicalRect.maxX() * m_pageScaleFactor));
+ int bottom = clampToInteger(ceilf(logicalRect.maxY() * m_pageScaleFactor));
+
return IntRect(IntPoint(left, top), convertToValidDeviceSize(right - left, bottom - top));
}
IntSize HTMLCanvasElement::convertLogicalToDevice(const FloatSize& logicalSize) const
{
- return convertToValidDeviceSize(logicalSize.width() * m_pageScaleFactor, logicalSize.height() * m_pageScaleFactor);
+ // Prevent overflow by ensuring the rect's bounds stay within integer-expressible range
+ float width = clampToInteger(ceilf(logicalSize.width() * m_pageScaleFactor));
+ float height = clampToInteger(ceilf(logicalSize.height() * m_pageScaleFactor));
+ return convertToValidDeviceSize(width, height);
}
IntSize HTMLCanvasElement::convertToValidDeviceSize(float width, float height) const
Modified: branches/chromium/742/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp (88848 => 88849)
--- branches/chromium/742/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp 2011-06-14 20:36:57 UTC (rev 88848)
+++ branches/chromium/742/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp 2011-06-14 20:41:34 UTC (rev 88849)
@@ -1632,6 +1632,10 @@
if (scaledSize.height() < 1)
scaledSize.setHeight(1);
+ float area = 4.0f * scaledSize.width() * scaledSize.height();
+ if (area > static_cast<float>(std::numeric_limits<int>::max()))
+ return 0;
+
return createEmptyImageData(scaledSize);
}
@@ -1668,7 +1672,12 @@
ImageBuffer* buffer = canvas()->buffer();
if (!buffer)
return createEmptyImageData(scaledRect.size());
- return ImageData::create(scaledRect.size(), buffer->getUnmultipliedImageData(scaledRect));
+
+ RefPtr<ByteArray> byteArray = buffer->getUnmultipliedImageData(scaledRect);
+ if (!byteArray)
+ return 0;
+
+ return ImageData::create(scaledRect.size(), byteArray.release());
}
void CanvasRenderingContext2D::putImageData(ImageData* data, float dx, float dy, ExceptionCode& ec)
Modified: branches/chromium/742/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp (88848 => 88849)
--- branches/chromium/742/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp 2011-06-14 20:36:57 UTC (rev 88848)
+++ branches/chromium/742/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp 2011-06-14 20:41:34 UTC (rev 88849)
@@ -110,6 +110,10 @@
PassRefPtr<ByteArray> ImageBufferData::getData(const IntRect& rect, const IntSize& size, bool accelerateRendering, bool unmultiplied) const
{
+ float area = 4.0f * rect.width() * rect.height();
+ if (area > static_cast<float>(std::numeric_limits<int>::max()))
+ return 0;
+
RefPtr<ByteArray> result = ByteArray::create(rect.width() * rect.height() * 4);
unsigned char* data = ""
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
