Modified: trunk/LayoutTests/ChangeLog (178636 => 178637)
--- trunk/LayoutTests/ChangeLog 2015-01-19 00:03:33 UTC (rev 178636)
+++ trunk/LayoutTests/ChangeLog 2015-01-19 05:14:56 UTC (rev 178637)
@@ -1,3 +1,20 @@
+2015-01-18 Dean Jackson <[email protected]>
+
+ Out of bounds write in canvas.toDataURL
+ https://bugs.webkit.org/show_bug.cgi?id=140594
+ <rdar://problem/19449135>
+
+ Reviewed by Alexey Proskuryakov.
+
+ Creates a WebGL context that does not have
+ premultiplied alpha, fills it with 50% transparent white,
+ and attempts to convert the canvas to a JPEG data URL. This
+ exercises the code path that was not accurately
+ allocating data (to flatten the alpha).
+
+ * fast/canvas/webgl/toDataURL-unpremultipliedAlpha-expected.txt: Added.
+ * fast/canvas/webgl/toDataURL-unpremultipliedAlpha.html: Added.
+
2015-01-17 Michael Saboff <[email protected]>
Crash in JSScope::resolve() on tools.ups.com
Added: trunk/LayoutTests/fast/canvas/webgl/toDataURL-unpremultipliedAlpha-expected.txt (0 => 178637)
--- trunk/LayoutTests/fast/canvas/webgl/toDataURL-unpremultipliedAlpha-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/toDataURL-unpremultipliedAlpha-expected.txt 2015-01-19 05:14:56 UTC (rev 178637)
@@ -0,0 +1,17 @@
+Test toDataURL on a non-premultipledAlpha WebGL context.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS gl.getContextAttributes().premultipledAlpha is undefined.
+PASS gl.getContextAttributes().preserveDrawingBuffer is true
+PASS getError was expected value: NO_ERROR : Should be no errors from setup.
+
+Fill the WebGL canvas with solid white at 50% transparency.
+PASS getError was expected value: NO_ERROR : Should be no errors from drawing.
+Convert to a JPEG data URL.
+PASS imageUrl && imageUrl.length > 0 is true
+Append the image to the document.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/canvas/webgl/toDataURL-unpremultipliedAlpha.html (0 => 178637)
--- trunk/LayoutTests/fast/canvas/webgl/toDataURL-unpremultipliedAlpha.html (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/toDataURL-unpremultipliedAlpha.html 2015-01-19 05:14:56 UTC (rev 178637)
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<title>Test toDataURL to JPEG on a non-premultipledAlpha WebGL context.</title>
+<script src=""
+<script src="" </script>
+<script src="" </script>
+</head>
+<body>
+<div id="description"></div><div id="console"></div>
+<script>
+var wtu = WebGLTestUtils;
+
+if (window.testRunner)
+ testRunner.overridePreference("WebKitWebGLEnabled", "1");
+
+description("Test toDataURL on a non-premultipledAlpha WebGL context.");
+var canvas = document.createElement("canvas");
+var gl = wtu.create3DContext(canvas, { premultipliedAlpha: false, preserveDrawingBuffer: true });
+shouldBeUndefined('gl.getContextAttributes().premultipledAlpha');
+shouldBeTrue('gl.getContextAttributes().preserveDrawingBuffer');
+
+var program = wtu.setupTexturedQuad(gl);
+
+glErrorShouldBe(gl, gl.NO_ERROR, "Should be no errors from setup.");
+
+debug("");
+debug("Fill the WebGL canvas with solid white at 50% transparency.")
+var tex = gl.createTexture();
+wtu.fillTexture(gl, tex, 2, 2, [255, 255, 255, 128], 0);
+var loc = gl.getUniformLocation(program, "tex");
+gl.uniform1i(loc, 0);
+gl.texParameteri(gl.TEXTURE_2D, gl.TEXTURE_MIN_FILTER, gl.LINEAR);
+gl.texParameteri(gl.TEXTURE_2D, gl.TEXTURE_MAG_FILTER, gl.LINEAR);
+gl.texParameteri(gl.TEXTURE_2D, gl.TEXTURE_WRAP_S, gl.CLAMP_TO_EDGE);
+gl.texParameteri(gl.TEXTURE_2D, gl.TEXTURE_WRAP_T, gl.CLAMP_TO_EDGE);
+
+wtu.drawQuad(gl);
+glErrorShouldBe(gl, gl.NO_ERROR, "Should be no errors from drawing.");
+
+debug("Convert to a JPEG data URL.")
+var imageUrl = canvas.toDataURL("image/jpeg");
+shouldBeTrue('imageUrl && imageUrl.length > 0');
+var image = document.createElement("img");
+image.addEventListener("load", function() {
+ debug("Append the image to the document.")
+ document.body.appendChild(image);
+ finishJSTest();
+}, false);
+image.src = ""
+
+
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (178636 => 178637)
--- trunk/Source/WebCore/ChangeLog 2015-01-19 00:03:33 UTC (rev 178636)
+++ trunk/Source/WebCore/ChangeLog 2015-01-19 05:14:56 UTC (rev 178637)
@@ -1,3 +1,25 @@
+2015-01-18 Dean Jackson <[email protected]>
+
+ Out of bounds write in canvas.toDataURL
+ https://bugs.webkit.org/show_bug.cgi?id=140594
+ <rdar://problem/19449135>
+
+ Reviewed by Alexey Proskuryakov.
+
+ In the case where we have a canvas object that does
+ not have premultiplied alpha (an option you can select
+ when using WebGL) we have to multiply out the alpha when
+ converting to JPEG via toDataURL.
+
+ For this we created a buffer, but were not accurately
+ resizing it before flattening the alpha.
+
+ Test: fast/canvas/webgl/toDataURL-unpremultipliedAlpha.html
+
+ * platform/graphics/cg/ImageBufferCG.cpp:
+ (WebCore::ImageDataToDataURL): Call resize once we've
+ determined we have enough space.
+
2015-01-17 Sam Weinig <[email protected]>
Add initial experimental user content filtering API
Modified: trunk/Source/WebCore/platform/graphics/cg/ImageBufferCG.cpp (178636 => 178637)
--- trunk/Source/WebCore/platform/graphics/cg/ImageBufferCG.cpp 2015-01-19 00:03:33 UTC (rev 178636)
+++ trunk/Source/WebCore/platform/graphics/cg/ImageBufferCG.cpp 2015-01-19 05:14:56 UTC (rev 178637)
@@ -540,6 +540,7 @@
if (!premultipliedData.tryReserveCapacity(size))
return "data:,";
+ premultipliedData.resize(size);
unsigned char *buffer = premultipliedData.data();
for (size_t i = 0; i < size; i += 4) {
unsigned alpha = data[i + 3];
