[webkit-changes] [277255] trunk/Source/WebCore

Sun, 09 May 2021 18:48:19 -0700

Title: [277255] trunk/Source/WebCore
Revision
277255
Author
[email protected]
Date
2021-05-09 18:48:09 -0700 (Sun, 09 May 2021)

Log Message

Add back protection of the pixel buffer in ImageBufferCGBackend::toCFData removed in r277237
https://bugs.webkit.org/show_bug.cgi?id=225574

Reviewed by Darin Adler.

In r277237, I accidentally removed a `RefPtr<Uint8ClampedArray> protectedPixelArray`
in ImageBufferCGBackend::toCFData that was needed to avoided crashing in some cases
when running fast/canvas/canvas-toDataURL-jpeg-crash.html.

Since it wasn't super clear what it was doing, this switches to using the more idiomatic
method of keeping the data alive in a CGDataProviderRef by passing the leaked image data
as the context and derefing in the callback lambda.

Just to be consistent, I went to other callers of CGDataProviderCreateWithData and
updated them to be idiomatically consistent.

* platform/graphics/cg/GraphicsContextGLCG.cpp:
(WebCore::GraphicsContextGLOpenGL::paintToCanvas):
(WebCore::releaseImageData): Deleted.
* platform/graphics/cg/ImageBufferCGBackend.cpp:
(WebCore::ImageBufferCGBackend::toCFData const):
* platform/graphics/cg/ImageBufferCGBitmapBackend.cpp:
(WebCore::ImageBufferCGBitmapBackend::create):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (277254 => 277255)


--- trunk/Source/WebCore/ChangeLog	2021-05-10 00:26:01 UTC (rev 277254)
+++ trunk/Source/WebCore/ChangeLog	2021-05-10 01:48:09 UTC (rev 277255)
@@ -1,3 +1,29 @@
+2021-05-09  Sam Weinig  <[email protected]>
+
+        Add back protection of the pixel buffer in ImageBufferCGBackend::toCFData removed in r277237
+        https://bugs.webkit.org/show_bug.cgi?id=225574
+
+        Reviewed by Darin Adler.
+
+        In r277237, I accidentally removed a `RefPtr<Uint8ClampedArray> protectedPixelArray`
+        in ImageBufferCGBackend::toCFData that was needed to avoided crashing in some cases
+        when running fast/canvas/canvas-toDataURL-jpeg-crash.html.
+
+        Since it wasn't super clear what it was doing, this switches to using the more idiomatic
+        method of keeping the data alive in a CGDataProviderRef by passing the leaked image data
+        as the context and derefing in the callback lambda.
+
+        Just to be consistent, I went to other callers of CGDataProviderCreateWithData and
+        updated them to be idiomatically consistent.
+
+        * platform/graphics/cg/GraphicsContextGLCG.cpp:
+        (WebCore::GraphicsContextGLOpenGL::paintToCanvas):
+        (WebCore::releaseImageData): Deleted.
+        * platform/graphics/cg/ImageBufferCGBackend.cpp:
+        (WebCore::ImageBufferCGBackend::toCFData const):
+        * platform/graphics/cg/ImageBufferCGBitmapBackend.cpp:
+        (WebCore::ImageBufferCGBitmapBackend::create):
+
 2021-05-09  Lauro Moura  <[email protected]>
 
         [WebXR] Remove reference cycle in WebXRSession

Modified: trunk/Source/WebCore/platform/graphics/cg/GraphicsContextGLCG.cpp (277254 => 277255)


--- trunk/Source/WebCore/platform/graphics/cg/GraphicsContextGLCG.cpp	2021-05-10 00:26:01 UTC (rev 277254)
+++ trunk/Source/WebCore/platform/graphics/cg/GraphicsContextGLCG.cpp	2021-05-10 01:48:09 UTC (rev 277255)
@@ -506,11 +506,6 @@
     return true;
 }
 
-static void releaseImageData(void* imageData, const void*, size_t)
-{
-    reinterpret_cast<ImageData*>(imageData)->deref();
-}
-
 void GraphicsContextGLOpenGL::paintToCanvas(const GraphicsContextGLAttributes& sourceContextAttributes, Ref<ImageData>&& imageData, const IntSize& canvasSize, GraphicsContext& context)
 {
     ASSERT(!imageData->size().isEmpty());
@@ -528,13 +523,14 @@
 
     auto imageSize = imageData->size();
     int rowBytes = imageSize.width() * 4;
-        size_t dataSize = rowBytes * imageSize.height();
+    size_t dataSize = rowBytes * imageSize.height();
     uint8_t* imagePixels = imageData->data().data();
-        verifyImageBufferIsBigEnough(imagePixels, dataSize);
-    RetainPtr<CGDataProviderRef> dataProvider = adoptCF(CGDataProviderCreateWithData(&imageData.leakRef(), imagePixels, dataSize, releaseImageData));
+    verifyImageBufferIsBigEnough(imagePixels, dataSize);
+    auto dataProvider = adoptCF(CGDataProviderCreateWithData(&imageData.leakRef(), imagePixels, dataSize, [] (void* context, const void*, size_t) {
+        reinterpret_cast<ImageData*>(context)->deref();
+    }));
 
-    auto image = NativeImage::create(adoptCF(CGImageCreate(imageSize.width(), imageSize.height(), 8, 32, rowBytes, sRGBColorSpaceRef(), bitmapInfo,
-        dataProvider.get(), 0, false, kCGRenderingIntentDefault)));
+    auto image = NativeImage::create(adoptCF(CGImageCreate(imageSize.width(), imageSize.height(), 8, 32, rowBytes, sRGBColorSpaceRef(), bitmapInfo, dataProvider.get(), 0, false, kCGRenderingIntentDefault)));
 
     // CSS styling may cause the canvas's content to be resized on
     // the page. Go back to the Canvas to figure out the correct

Modified: trunk/Source/WebCore/platform/graphics/cg/ImageBufferCGBackend.cpp (277254 => 277255)


--- trunk/Source/WebCore/platform/graphics/cg/ImageBufferCGBackend.cpp	2021-05-10 00:26:01 UTC (rev 277254)
+++ trunk/Source/WebCore/platform/graphics/cg/ImageBufferCGBackend.cpp	2021-05-10 01:48:09 UTC (rev 277255)
@@ -191,12 +191,16 @@
         if (!imageData)
             return nullptr;
 
-        auto protectedPixelArray = makeRef(imageData->data());
-        size_t dataSize = protectedPixelArray->byteLength();
-        IntSize pixelArrayDimensions = imageData->size();
+        auto& pixelArray = imageData->data();
+        auto dataSize = pixelArray.byteLength();
+        auto pixelArrayDimensions = imageData->size();
 
-        verifyImageBufferIsBigEnough(protectedPixelArray->data(), dataSize);
-        auto dataProvider = adoptCF(CGDataProviderCreateWithData(nullptr, protectedPixelArray->data(), dataSize, nullptr));
+        verifyImageBufferIsBigEnough(pixelArray.data(), dataSize);
+
+        auto dataProvider = adoptCF(CGDataProviderCreateWithData(imageData.leakRef(), pixelArray.data(), dataSize, [] (void* context, const void*, size_t) {
+            reinterpret_cast<ImageData*>(context)->deref();
+        }));
+        
         if (!dataProvider)
             return nullptr;

Modified: trunk/Source/WebCore/platform/graphics/cg/ImageBufferCGBitmapBackend.cpp (277254 => 277255)


--- trunk/Source/WebCore/platform/graphics/cg/ImageBufferCGBitmapBackend.cpp	2021-05-10 00:26:01 UTC (rev 277254)
+++ trunk/Source/WebCore/platform/graphics/cg/ImageBufferCGBitmapBackend.cpp	2021-05-10 01:48:09 UTC (rev 277255)
@@ -87,12 +87,10 @@
 
     auto context = makeUnique<GraphicsContext>(cgContext.get());
 
-    const auto releaseImageData = [] (void*, const void* data, size_t) {
+    auto dataProvider = adoptCF(CGDataProviderCreateWithData(nullptr, data, numBytes, [] (void*, const void* data, size_t) {
         fastFree(const_cast<void*>(data));
-    };
+    }));
 
-    auto dataProvider = adoptCF(CGDataProviderCreateWithData(0, data, numBytes, releaseImageData));
-
     return std::unique_ptr<ImageBufferCGBitmapBackend>(new ImageBufferCGBitmapBackend(parameters, data, WTFMove(dataProvider), WTFMove(context)));
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to