Title: [193898] trunk/Source/WebCore
- Revision
- 193898
- Author
- [email protected]
- Date
- 2015-12-10 02:24:55 -0800 (Thu, 10 Dec 2015)
Log Message
[TexMap] pixel coverage multiplication in TiledBackingStore can overflow
https://bugs.webkit.org/show_bug.cgi?id=152055
Reviewed by Carlos Garcia Campos.
The computation of the pixel coverage in TiledBackingStore can easily overflow
when the candidate size is relatively large (for instance when the backed
layer is transformed in a way that increases its perceived size). This can result
in missing tiles for this specific backing store, at least until the layer in
question is transformed again into a shape that produces a smaller candidate size.
To avoid the integer overflow, the multiplication is done in a safe manner,
defaulting to the max positive value an integer can hold in case the overflow
is detected.
* platform/graphics/texmap/coordinated/TiledBackingStore.cpp:
(WebCore::TiledBackingStore::adjustForContentsRect):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (193897 => 193898)
--- trunk/Source/WebCore/ChangeLog 2015-12-10 10:23:06 UTC (rev 193897)
+++ trunk/Source/WebCore/ChangeLog 2015-12-10 10:24:55 UTC (rev 193898)
@@ -1,5 +1,25 @@
2015-12-10 Zan Dobersek <[email protected]>
+ [TexMap] pixel coverage multiplication in TiledBackingStore can overflow
+ https://bugs.webkit.org/show_bug.cgi?id=152055
+
+ Reviewed by Carlos Garcia Campos.
+
+ The computation of the pixel coverage in TiledBackingStore can easily overflow
+ when the candidate size is relatively large (for instance when the backed
+ layer is transformed in a way that increases its perceived size). This can result
+ in missing tiles for this specific backing store, at least until the layer in
+ question is transformed again into a shape that produces a smaller candidate size.
+
+ To avoid the integer overflow, the multiplication is done in a safe manner,
+ defaulting to the max positive value an integer can hold in case the overflow
+ is detected.
+
+ * platform/graphics/texmap/coordinated/TiledBackingStore.cpp:
+ (WebCore::TiledBackingStore::adjustForContentsRect):
+
+2015-12-10 Zan Dobersek <[email protected]>
+
[TexMap] Clean up BitmapTexturePool
https://bugs.webkit.org/show_bug.cgi?id=152073
Modified: trunk/Source/WebCore/platform/graphics/texmap/coordinated/TiledBackingStore.cpp (193897 => 193898)
--- trunk/Source/WebCore/platform/graphics/texmap/coordinated/TiledBackingStore.cpp 2015-12-10 10:23:06 UTC (rev 193897)
+++ trunk/Source/WebCore/platform/graphics/texmap/coordinated/TiledBackingStore.cpp 2015-12-10 10:24:55 UTC (rev 193898)
@@ -23,6 +23,7 @@
#if USE(COORDINATED_GRAPHICS)
#include "GraphicsContext.h"
#include "TiledBackingStoreClient.h"
+#include <wtf/CheckedArithmetic.h>
namespace WebCore {
@@ -269,7 +270,9 @@
return;
// Try to create a cover rect of the same size as the candidate, but within content bounds.
- int pixelsCovered = candidateSize.width() * candidateSize.height();
+ int pixelsCovered = 0;
+ if (!WTF::safeMultiply(candidateSize.width(), candidateSize.height(), pixelsCovered))
+ pixelsCovered = std::numeric_limits<int>::max();
if (rect.width() < candidateSize.width())
rect.inflateY(((pixelsCovered / rect.width()) - rect.height()) / 2);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
