Diff
Modified: releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog (216374 => 216375)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-05-08 09:36:05 UTC (rev 216374)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-05-08 10:11:39 UTC (rev 216375)
@@ -1,3 +1,13 @@
+2017-04-21 Per Arne Vollan <pvol...@apple.com>
+
+ Validate vImage arguments
+ https://bugs.webkit.org/show_bug.cgi?id=171109
+
+ Reviewed by Brent Fulgham.
+
+ * fast/canvas/canvas-crash-expected.txt: Added.
+ * fast/canvas/canvas-crash.html: Added.
+
2017-04-20 Wenson Hsieh <wenson_hs...@apple.com>
Inline anchor elements cannot be dragged when starting the drag from a block descendant
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/canvas/canvas-crash-expected.txt (0 => 216375)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/canvas/canvas-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/canvas/canvas-crash-expected.txt 2017-05-08 10:11:39 UTC (rev 216375)
@@ -0,0 +1 @@
+PASSED
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/fast/canvas/canvas-crash.html (0 => 216375)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/fast/canvas/canvas-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/fast/canvas/canvas-crash.html 2017-05-08 10:11:39 UTC (rev 216375)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<title>Canvas test: This test passes if it doesn't crash.'</title>
+
+<body>
+
+<a id="a"></a>
+<canvas id="c" class="output" width="100" height="50"></canvas>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function canvastest()
+{
+ var ctx = document.getCSSCanvasContext("2d", "canvastest", 13951, 11138);
+ ctx.putImageData(ctx.getImageData(1431655766, document.getElementById("a").appendChild(document.createElement("media")).clientWidth, 4096, -1024), 128, -65535, 127, -2147483648, 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111, -1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111);
+}
+
+canvastest();
+
+var result = document.getElementById("a");
+result.innerHTML = "PASSED";
+
+</script>
+
+</body>
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog (216374 => 216375)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-05-08 09:36:05 UTC (rev 216374)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-05-08 10:11:39 UTC (rev 216375)
@@ -1,3 +1,19 @@
+2017-04-21 Per Arne Vollan <pvol...@apple.com>
+
+ Validate vImage arguments
+ https://bugs.webkit.org/show_bug.cgi?id=171109
+ rdar://problem/30236606
+
+ Reviewed by Brent Fulgham.
+
+ When writing data to a canvas context, clip the source rectangle to the data rectangle
+ to make sure we will not attempt to read data outside of the buffer.
+
+ Test: fast/canvas/canvas-crash.html
+
+ * html/canvas/CanvasRenderingContext2D.cpp:
+ (WebCore::CanvasRenderingContext2D::putImageData):
+
2017-04-21 Gwang Yoon Hwang <y...@igalia.com>
Do not paint the border of the box if the dirty region does not intersect with border area
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp (216374 => 216375)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp 2017-05-08 09:36:05 UTC (rev 216374)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp 2017-05-08 10:11:39 UTC (rev 216375)
@@ -2087,8 +2087,10 @@
return;
IntRect sourceRect(destRect);
sourceRect.move(-destOffset);
+ sourceRect.intersect(IntRect(0, 0, data.width(), data.height()));
- buffer->putByteArray(Unmultiplied, data.data(), IntSize(data.width(), data.height()), sourceRect, IntPoint(destOffset), coordinateSystem);
+ if (!sourceRect.isEmpty())
+ buffer->putByteArray(Unmultiplied, data.data(), IntSize(data.width(), data.height()), sourceRect, IntPoint(destOffset), coordinateSystem);
didDraw(destRect, CanvasDidDrawApplyNone); // ignore transform, shadow and clip
}
