Title: [211935] releases/WebKitGTK/webkit-2.14
- Revision
- 211935
- Author
- [email protected]
- Date
- 2017-02-09 00:54:46 -0800 (Thu, 09 Feb 2017)
Log Message
Merge r208628 - Neutered ArrayBuffers are not properly serialized
https://bugs.webkit.org/show_bug.cgi?id=164647
<rdar://problem/29213490>
Reviewed by David Kilzer.
Source/WebCore:
Correct binding logic to handle ImageBuffers being deserialized from neutered ArrayBuffers.
Test: fast/canvas/neutered-imagedata.html
* bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readTerminal):
LayoutTests:
* fast/canvas/neutered-imagedata-expected.txt: Added.
* fast/canvas/neutered-imagedata.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (211934 => 211935)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-02-09 08:54:34 UTC (rev 211934)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-02-09 08:54:46 UTC (rev 211935)
@@ -1,3 +1,14 @@
+2016-11-11 Brent Fulgham <[email protected]>
+
+ Neutered ArrayBuffers are not properly serialized
+ https://bugs.webkit.org/show_bug.cgi?id=164647
+ <rdar://problem/29213490>
+
+ Reviewed by David Kilzer.
+
+ * fast/canvas/neutered-imagedata-expected.txt: Added.
+ * fast/canvas/neutered-imagedata.html: Added.
+
2016-11-16 Brent Fulgham <[email protected]>
Clear track client when removing a track
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/canvas/neutered-imagedata-expected.txt (0 => 211935)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/canvas/neutered-imagedata-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/canvas/neutered-imagedata-expected.txt 2017-02-09 08:54:46 UTC (rev 211935)
@@ -0,0 +1,10 @@
+Tests that serialized image buffers account for neutered state.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Found only zeros.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/canvas/neutered-imagedata.html (0 => 211935)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/canvas/neutered-imagedata.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/canvas/neutered-imagedata.html 2017-02-09 08:54:46 UTC (rev 211935)
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script src=""
+<script>
+description('Tests that serialized image buffers account for neutered state.');
+
+window.jsTestIsAsync = true;
+
+function checkState(state) {
+ var elementCount = state.width * state.height;
+
+ for (var i = 0; i < elementCount; ++i) {
+ if (state.data[i] != 0) {
+ testFailed("Found non-zero data.");
+ finishJSTest();
+ return;
+ }
+ }
+
+ testPassed("Found only zeros.");
+ finishJSTest();
+}
+
+function runTest() {
+ if (window.testRunner) {
+ testRunner.dumpAsText(true);
+ testRunner.waitUntilDone();
+ }
+
+ var id = new ImageData(1, 256);
+
+ // This will neuter the data buffer.
+ postMessage("", "*", [id.data.buffer]);
+
+ history.pushState(id, "");
+
+ setTimeout(function() {
+ checkState(history.state);
+ }, 0);
+}
+</script>
+</head>
+<body _onload_="runTest()">
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (211934 => 211935)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-02-09 08:54:34 UTC (rev 211934)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-02-09 08:54:46 UTC (rev 211935)
@@ -1,3 +1,26 @@
+2016-11-11 Brent Fulgham <[email protected]>
+
+ Unreviewed build fix after r208628
+
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::CloneDeserializer::readTerminal): Cast pointer arithmetic to
+ uint32_t to avoid warning.
+
+2016-11-11 Brent Fulgham <[email protected]>
+
+ Neutered ArrayBuffers are not properly serialized
+ https://bugs.webkit.org/show_bug.cgi?id=164647
+ <rdar://problem/29213490>
+
+ Reviewed by David Kilzer.
+
+ Correct binding logic to handle ImageBuffers being deserialized from neutered ArrayBuffers.
+
+ Test: fast/canvas/neutered-imagedata.html
+
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::CloneDeserializer::readTerminal):
+
2016-11-16 Brent Fulgham <[email protected]>
Clear track client when removing a track
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/js/SerializedScriptValue.cpp (211934 => 211935)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2017-02-09 08:54:34 UTC (rev 211934)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2017-02-09 08:54:46 UTC (rev 211935)
@@ -2274,7 +2274,7 @@
uint32_t length;
if (!read(length))
return JSValue();
- if (m_end < ((uint8_t*)0) + length || m_ptr > m_end - length) {
+ if (static_cast<uint32_t>(m_end - m_ptr) < length) {
fail();
return JSValue();
}
@@ -2282,8 +2282,17 @@
m_ptr += length;
return jsNull();
}
- RefPtr<ImageData> result = ImageData::create(IntSize(width, height));
- memcpy(result->data()->data(), m_ptr, length);
+ IntSize imageSize(width, height);
+ RELEASE_ASSERT(!length || (imageSize.area() * 4).unsafeGet() <= length);
+ RefPtr<ImageData> result = ImageData::create(imageSize);
+ if (!result) {
+ fail();
+ return JSValue();
+ }
+ if (length)
+ memcpy(result->data()->data(), m_ptr, length);
+ else
+ result->data()->zeroFill();
m_ptr += length;
return getJSValue(result.get());
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
