[webkit-changes] [168457] trunk

Wed, 07 May 2014 18:30:45 -0700

Title: [168457] trunk
Revision
168457
Author
d...@apple.com
Date
2014-05-07 18:30:21 -0700 (Wed, 07 May 2014)

Log Message

Using a fill pattern much larger than actual canvas reliably segfaults browser
https://bugs.webkit.org/show_bug.cgi?id=132635

Reviewed by Simon Fraser.

Source/WebCore:
Make sure that createPattern checks that the canvas it is about to use
as a source is valid.

Test: fast/canvas/pattern-too-large-to-create.html

* html/canvas/CanvasRenderingContext2D.cpp:
(WebCore::CanvasRenderingContext2D::createPattern): Check that the source canvas has
an ok ImageBuffer.

LayoutTests:
Test case that makes a huge canvas and tries to create a pattern out of it.

* fast/canvas/pattern-too-large-to-create-expected.html: Added.
* fast/canvas/pattern-too-large-to-create.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (168456 => 168457)


--- trunk/LayoutTests/ChangeLog	2014-05-08 01:16:53 UTC (rev 168456)
+++ trunk/LayoutTests/ChangeLog	2014-05-08 01:30:21 UTC (rev 168457)
@@ -1,3 +1,15 @@
+2014-05-07  Dean Jackson  <d...@apple.com>
+
+        Using a fill pattern much larger than actual canvas reliably segfaults browser
+        https://bugs.webkit.org/show_bug.cgi?id=132635
+
+        Reviewed by Simon Fraser.
+
+        Test case that makes a huge canvas and tries to create a pattern out of it.
+
+        * fast/canvas/pattern-too-large-to-create-expected.html: Added.
+        * fast/canvas/pattern-too-large-to-create.html: Added.
+
 2014-05-07  Geoffrey Garen  <gga...@apple.com>
 
         REGRESSION (r161429?): Frequent crashes on media/track/media-element-enqueue-event-crash.html

Added: trunk/LayoutTests/fast/canvas/pattern-too-large-to-create-expected.txt (0 => 168457)


--- trunk/LayoutTests/fast/canvas/pattern-too-large-to-create-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/pattern-too-large-to-create-expected.txt	2014-05-08 01:30:21 UTC (rev 168457)
@@ -0,0 +1 @@
+PASS: Saw exception.
Property changes on: trunk/LayoutTests/fast/canvas/pattern-too-large-to-create-expected.txt
___________________________________________________________________

Added: svn:mime-type

Added: svn:keywords

Added: svn:eol-style

Added: trunk/LayoutTests/fast/canvas/pattern-too-large-to-create.html (0 => 168457)


--- trunk/LayoutTests/fast/canvas/pattern-too-large-to-create.html	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/pattern-too-large-to-create.html	2014-05-08 01:30:21 UTC (rev 168457)
@@ -0,0 +1,29 @@
+<body>
+<script>
+if (window.testRunner)
+    window.testRunner.dumpAsText();
+
+var canvas = document.createElement("canvas");
+canvas.width = 100;
+canvas.height = 100;
+
+// Make a pattern so large that it will fail to be allocated.
+var patternCanvas = document.createElement("canvas");
+patternCanvas.width = 300000;
+patternCanvas.height = 300000;
+
+var ctx = canvas.getContext("2d");
+var pattern;
+try {
+    pattern = ctx.createPattern(patternCanvas, "repeat");
+} catch (e) {
+    if (e.code == DOMException.INVALID_STATE_ERR)
+        document.body.appendChild(document.createTextNode("PASS: Saw exception."));
+}
+
+// The remainder of this code doesn't really matter, since pattern is null.
+ctx.rect(0, 0, canvas.width, canvas.height);
+ctx.fillStyle = pattern;
+
+ctx.fill();
+</script>
Property changes on: trunk/LayoutTests/fast/canvas/pattern-too-large-to-create.html
___________________________________________________________________

Added: svn:mime-type

Added: svn:keywords

Added: svn:eol-style

Modified: trunk/Source/WebCore/ChangeLog (168456 => 168457)


--- trunk/Source/WebCore/ChangeLog	2014-05-08 01:16:53 UTC (rev 168456)
+++ trunk/Source/WebCore/ChangeLog	2014-05-08 01:30:21 UTC (rev 168457)
@@ -1,3 +1,19 @@
+2014-05-07  Dean Jackson  <d...@apple.com>
+
+        Using a fill pattern much larger than actual canvas reliably segfaults browser
+        https://bugs.webkit.org/show_bug.cgi?id=132635
+
+        Reviewed by Simon Fraser.
+
+        Make sure that createPattern checks that the canvas it is about to use
+        as a source is valid.
+
+        Test: fast/canvas/pattern-too-large-to-create.html
+
+        * html/canvas/CanvasRenderingContext2D.cpp:
+        (WebCore::CanvasRenderingContext2D::createPattern): Check that the source canvas has
+        an ok ImageBuffer.
+
 2014-05-07  Pratik Solanki  <psola...@apple.com>
 
         Use system defaults for hardware jpeg decoding

Modified: trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp (168456 => 168457)


--- trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp	2014-05-08 01:16:53 UTC (rev 168456)
+++ trunk/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp	2014-05-08 01:30:21 UTC (rev 168457)
@@ -1772,7 +1772,7 @@
         ec = TYPE_MISMATCH_ERR;
         return 0;
     }
-    if (!canvas->width() || !canvas->height()) {
+    if (!canvas->width() || !canvas->height() || !canvas->buffer()) {
         ec = INVALID_STATE_ERR;
         return 0;
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to