Diff
Modified: trunk/LayoutTests/ChangeLog (202886 => 202887)
--- trunk/LayoutTests/ChangeLog 2016-07-07 00:33:51 UTC (rev 202886)
+++ trunk/LayoutTests/ChangeLog 2016-07-07 01:02:57 UTC (rev 202887)
@@ -1,3 +1,14 @@
+2016-07-06 Brent Fulgham <[email protected]>
+
+ Return values of JSArray::createUninitialized (and related) are not consistently checked for nullptr
+ https://bugs.webkit.org/show_bug.cgi?id=159495
+ <rdar://problem/26075433>
+
+ Reviewed by Dean Jackson.
+
+ * fast/canvas/canvas-getImageData-invalid-result-buffer-crash.html: Added.
+ * fast/canvas/canvas-getImageData-invalid-result-buffer-crash-expected.txt: Added.
+
2016-07-06 Ryan Haddad <[email protected]>
Marking media/restore-from-page-cache.html as a flaky crash on mac-wk2 debug
Added: trunk/LayoutTests/fast/canvas/canvas-getImageData-invalid-result-buffer-crash-expected.txt (0 => 202887)
--- trunk/LayoutTests/fast/canvas/canvas-getImageData-invalid-result-buffer-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/canvas/canvas-getImageData-invalid-result-buffer-crash-expected.txt 2016-07-07 01:02:57 UTC (rev 202887)
@@ -0,0 +1,7 @@
+CONSOLE MESSAGE: line 8: Unable to get image data from canvas. Requested size was 381000000 x 2
+CONSOLE MESSAGE: line 8: InvalidStateError: DOM Exception 11: The object is in an invalid state.
+PASSED (If this page did not crash.)
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/canvas/canvas-getImageData-invalid-result-buffer-crash.html (0 => 202887)
--- trunk/LayoutTests/fast/canvas/canvas-getImageData-invalid-result-buffer-crash.html (rev 0)
+++ trunk/LayoutTests/fast/canvas/canvas-getImageData-invalid-result-buffer-crash.html 2016-07-07 01:02:57 UTC (rev 202887)
@@ -0,0 +1,18 @@
+<html>
+<head>
+<script src=""
+<script>
+function runTest() {
+ var canvas = document.getElementById("test");
+ var ctx = canvas.getContext("2d");
+ ctx.getImageData(10000, 125, -381000000, -0.9);
+}
+</script>
+</head>
+<body _onload_="runTest()">
+ <canvas id="test" width="1000" height="1000"></canvas>
+PASSED (If this page did not crash.)
+ <pre id='console'></pre>
+ <script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (202886 => 202887)
--- trunk/Source/WebCore/ChangeLog 2016-07-07 00:33:51 UTC (rev 202886)
+++ trunk/Source/WebCore/ChangeLog 2016-07-07 01:02:57 UTC (rev 202887)
@@ -1,3 +1,27 @@
+2016-07-06 Brent Fulgham <[email protected]>
+
+ Return values of JSArray::createUninitialized (and related) are not consistently checked for nullptr
+ https://bugs.webkit.org/show_bug.cgi?id=159495
+ <rdar://problem/26075433>
+
+ Reviewed by Dean Jackson.
+
+ Test: fast/canvas/canvas-getImageData-invalid-result-buffer-crash.html
+
+ * html/ImageData.cpp:
+ (WebCore::ImageData::ImageData): Assert at construction if we could not create a valid
+ buffer.
+ * platform/SharedBuffer.cpp:
+ (WebCore::SharedBuffer::createArrayBuffer): Check for a null buffer before using it.
+ * platform/graphics/cg/ImageBufferDataCG.cpp:
+ (WebCore::ImageBufferData::getData): Ditto.
+ * platform/graphics/filters/FEGaussianBlur.cpp:
+ (WebCore::FEGaussianBlur::platformApplySoftware): Ditto.
+ * platform/graphics/filters/FilterEffect.cpp:
+ (WebCore::FilterEffect::copyImageBytes): Ditto.
+ (WebCore::FilterEffect::copyUnmultipliedImage): Ditto.
+ (WebCore::FilterEffect::copyPremultipliedImage): Ditto.
+
2016-07-06 Chris Dumez <[email protected]>
Document.body should return the first child of the html element that is either a body / frameset element
Modified: trunk/Source/WebCore/html/ImageData.cpp (202886 => 202887)
--- trunk/Source/WebCore/html/ImageData.cpp 2016-07-07 00:33:51 UTC (rev 202886)
+++ trunk/Source/WebCore/html/ImageData.cpp 2016-07-07 01:02:57 UTC (rev 202887)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2016 Apple Inc. All rights reserved.
* Copyright (C) 2014 Adobe Systems Incorporated. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -115,6 +115,7 @@
: m_size(size)
, m_data(Uint8ClampedArray::createUninitialized(size.width() * size.height() * 4))
{
+ ASSERT_WITH_SECURITY_IMPLICATION(m_data);
}
ImageData::ImageData(const IntSize& size, Ref<Uint8ClampedArray>&& byteArray)
Modified: trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp (202886 => 202887)
--- trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp 2016-07-07 00:33:51 UTC (rev 202886)
+++ trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp 2016-07-07 01:02:57 UTC (rev 202887)
@@ -2031,8 +2031,17 @@
return createEmptyImageData(imageDataRect.size());
RefPtr<Uint8ClampedArray> byteArray = buffer->getUnmultipliedImageData(imageDataRect, coordinateSystem);
- if (!byteArray)
+ if (!byteArray) {
+ StringBuilder consoleMessage;
+ consoleMessage.appendLiteral("Unable to get image data from canvas. Requested size was ");
+ consoleMessage.appendNumber(imageDataRect.width());
+ consoleMessage.appendLiteral(" x ");
+ consoleMessage.appendNumber(imageDataRect.height());
+
+ canvas()->document().addConsoleMessage(MessageSource::Rendering, MessageLevel::Error, consoleMessage.toString());
+ ec = INVALID_STATE_ERR;
return nullptr;
+ }
return ImageData::create(imageDataRect.size(), byteArray.releaseNonNull());
}
Modified: trunk/Source/WebCore/platform/SharedBuffer.cpp (202886 => 202887)
--- trunk/Source/WebCore/platform/SharedBuffer.cpp 2016-07-07 00:33:51 UTC (rev 202886)
+++ trunk/Source/WebCore/platform/SharedBuffer.cpp 2016-07-07 01:02:57 UTC (rev 202887)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2016 Apple Inc. All rights reserved.
* Copyright (C) Research In Motion Limited 2009-2010. All rights reserved.
* Copyright (C) 2015 Canon Inc. All rights reserved.
*
@@ -144,6 +144,10 @@
RefPtr<ArrayBuffer> SharedBuffer::createArrayBuffer() const
{
RefPtr<ArrayBuffer> arrayBuffer = ArrayBuffer::createUninitialized(static_cast<unsigned>(size()), sizeof(char));
+ if (!arrayBuffer) {
+ WTFLogAlways("SharedBuffer::createArrayBuffer Unable to create buffer. Requested size was %d x %lu\n", size(), sizeof(char));
+ return nullptr;
+ }
const char* segment = 0;
unsigned position = 0;
Modified: trunk/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp (202886 => 202887)
--- trunk/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp 2016-07-07 00:33:51 UTC (rev 202886)
+++ trunk/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp 2016-07-07 01:02:57 UTC (rev 202887)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -97,11 +97,9 @@
return nullptr;
auto result = Uint8ClampedArray::createUninitialized(area.unsafeGet());
- unsigned char* resultData = result->data();
- if (!resultData) {
- WTFLogAlways("ImageBufferData: Unable to create buffer. Requested size was %d x %d = %u\n", rect.width(), rect.height(), area.unsafeGet());
+ unsigned char* resultData = result ? result->data() : nullptr;
+ if (!resultData)
return nullptr;
- }
Checked<int> endx = rect.maxX();
endx *= ceilf(resolutionScale);
Modified: trunk/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp (202886 => 202887)
--- trunk/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp 2016-07-07 00:33:51 UTC (rev 202886)
+++ trunk/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp 2016-07-07 01:02:57 UTC (rev 202887)
@@ -5,7 +5,7 @@
* Copyright (C) 2009 Dirk Schulze <[email protected]>
* Copyright (C) 2010 Igalia, S.L.
* Copyright (C) Research In Motion Limited 2010. All rights reserved.
- * Copyright (C) 2015 Apple, Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple, Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -540,9 +540,12 @@
IntSize paintSize = absolutePaintRect().size();
paintSize.scale(filter().filterScale());
RefPtr<Uint8ClampedArray> tmpImageData = Uint8ClampedArray::createUninitialized(paintSize.width() * paintSize.height() * 4);
- Uint8ClampedArray* tmpPixelArray = tmpImageData.get();
+ if (!tmpImageData) {
+ WTFLogAlways("FEGaussianBlur::platformApplySoftware Unable to create buffer. Requested size was %d x %d\n", paintSize.width(), paintSize.height());
+ return;
+ }
- platformApply(srcPixelArray, tmpPixelArray, kernelSize.width(), kernelSize.height(), paintSize);
+ platformApply(srcPixelArray, tmpImageData.get(), kernelSize.width(), kernelSize.height(), paintSize);
}
void FEGaussianBlur::dump()
Modified: trunk/Source/WebCore/platform/graphics/filters/FilterEffect.cpp (202886 => 202887)
--- trunk/Source/WebCore/platform/graphics/filters/FilterEffect.cpp 2016-07-07 00:33:51 UTC (rev 202886)
+++ trunk/Source/WebCore/platform/graphics/filters/FilterEffect.cpp 2016-07-07 01:02:57 UTC (rev 202887)
@@ -3,7 +3,7 @@
* Copyright (C) 2009 Dirk Schulze <[email protected]>
* Copyright (C) Research In Motion Limited 2010. All rights reserved.
* Copyright (C) 2012 University of Szeged
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -259,6 +259,9 @@
IntSize scaledPaintSize(m_absolutePaintRect.size());
scaledPaintSize.scale(m_filter.filterScale());
+ if (!source || !destination)
+ return;
+
// Initialize the destination to transparent black, if not entirely covered by the source.
if (scaledRect.x() < 0 || scaledRect.y() < 0 || scaledRect.maxX() > scaledPaintSize.width() || scaledRect.maxY() > scaledPaintSize.height())
memset(destination->data(), 0, destination->length());
@@ -314,6 +317,10 @@
ASSERT(!ImageBuffer::sizeNeedsClamping(inputSize));
inputSize.scale(m_filter.filterScale());
m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized(inputSize.width() * inputSize.height() * 4);
+ if (!m_unmultipliedImageResult) {
+ WTFLogAlways("FilterEffect::copyUnmultipliedImage Unable to create buffer. Requested size was %d x %d\n", inputSize.width(), inputSize.height());
+ return;
+ }
unsigned char* sourceComponent = m_premultipliedImageResult->data();
unsigned char* destinationComponent = m_unmultipliedImageResult->data();
unsigned char* end = sourceComponent + (inputSize.width() * inputSize.height() * 4);
@@ -350,6 +357,10 @@
ASSERT(!ImageBuffer::sizeNeedsClamping(inputSize));
inputSize.scale(m_filter.filterScale());
m_premultipliedImageResult = Uint8ClampedArray::createUninitialized(inputSize.width() * inputSize.height() * 4);
+ if (!m_premultipliedImageResult) {
+ WTFLogAlways("FilterEffect::copyPremultipliedImage Unable to create buffer. Requested size was %d x %d\n", inputSize.width(), inputSize.height());
+ return;
+ }
unsigned char* sourceComponent = m_unmultipliedImageResult->data();
unsigned char* destinationComponent = m_premultipliedImageResult->data();
unsigned char* end = sourceComponent + (inputSize.width() * inputSize.height() * 4);
