[webkit-changes] [282453] trunk/Source/WebCore

[carlosgc]

Title: [282453] trunk/Source/WebCore

Revision

282453

Author

carlo...@webkit.org

Date

2021-09-15 07:52:15 -0700 (Wed, 15 Sep 2021)

Log Message

Fix size calculation in ImageBufferCairoImageSurfaceBackend::create()
https://bugs.webkit.org/show_bug.cgi?id=229365

Reviewed by Don Olmstead.

* platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp:
(WebCore::ImageBufferCairoImageSurfaceBackend::calculateSafeBackendSize): Check the result of
cairo_format_stride_for_width() and the multiplication doesn't overflow.
(WebCore::ImageBufferCairoImageSurfaceBackend::create): Use tryFastCalloc() instead of tryFastZeroedMalloc().

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (282452 => 282453)

--- trunk/Source/WebCore/ChangeLog	2021-09-15 14:21:49 UTC (rev 282452)
+++ trunk/Source/WebCore/ChangeLog	2021-09-15 14:52:15 UTC (rev 282453)
@@ -1,3 +1,15 @@
+2021-09-15  Carlos Garcia Campos  <cgar...@igalia.com>
+
+        Fix size calculation in ImageBufferCairoImageSurfaceBackend::create()
+        https://bugs.webkit.org/show_bug.cgi?id=229365
+
+        Reviewed by Don Olmstead.
+
+        * platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp:
+        (WebCore::ImageBufferCairoImageSurfaceBackend::calculateSafeBackendSize): Check the result of
+        cairo_format_stride_for_width() and the multiplication doesn't overflow.
+        (WebCore::ImageBufferCairoImageSurfaceBackend::create): Use tryFastCalloc() instead of tryFastZeroedMalloc().
+
 2021-09-15  Antti Koivisto  <an...@apple.com>
 
         [LFC][Integration] TextBoxSelectableRange::additionalLengthAtEnd miscomputed

Modified: trunk/Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp (282452 => 282453)

--- trunk/Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp	2021-09-15 14:21:49 UTC (rev 282452)
+++ trunk/Source/WebCore/platform/graphics/cairo/ImageBufferCairoImageSurfaceBackend.cpp	2021-09-15 14:52:15 UTC (rev 282453)
@@ -50,6 +50,14 @@
     if (backendSize.width() > cairoMaxImageSize || backendSize.height() > cairoMaxImageSize)
         return { };
 
+    int stride = cairo_format_stride_for_width(CAIRO_FORMAT_ARGB32, backendSize.width());
+    if (stride == -1)
+        return { };
+
+    CheckedSize bytes = CheckedUint32(backendSize.height()) * stride;
+    if (bytes.hasOverflowed())
+        return { };
+
     return backendSize;
 }
 
@@ -77,7 +85,7 @@
 
     int stride = cairo_format_stride_for_width(CAIRO_FORMAT_ARGB32, backendSize.width());
     void* surfaceData;
-    if (!tryFastZeroedMalloc(backendSize.height() * stride).getValue(surfaceData))
+    if (!tryFastCalloc(backendSize.height(), stride).getValue(surfaceData))
         return nullptr;
 
     auto surface = adoptRef(cairo_image_surface_create_for_data(static_cast<unsigned char*>(surfaceData), CAIRO_FORMAT_ARGB32, backendSize.width(), backendSize.height(), stride));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes