Title: [193898] trunk/Source/WebCore
Revision
193898
Author
[email protected]
Date
2015-12-10 02:24:55 -0800 (Thu, 10 Dec 2015)

Log Message

[TexMap] pixel coverage multiplication in TiledBackingStore can overflow
https://bugs.webkit.org/show_bug.cgi?id=152055

Reviewed by Carlos Garcia Campos.

The computation of the pixel coverage in TiledBackingStore can easily overflow
when the candidate size is relatively large (for instance when the backed
layer is transformed in a way that increases its perceived size). This can result
in missing tiles for this specific backing store, at least until the layer in
question is transformed again into a shape that produces a smaller candidate size.

To avoid the integer overflow, the multiplication is done in a safe manner,
defaulting to the max positive value an integer can hold in case the overflow
is detected.

* platform/graphics/texmap/coordinated/TiledBackingStore.cpp:
(WebCore::TiledBackingStore::adjustForContentsRect):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (193897 => 193898)


--- trunk/Source/WebCore/ChangeLog	2015-12-10 10:23:06 UTC (rev 193897)
+++ trunk/Source/WebCore/ChangeLog	2015-12-10 10:24:55 UTC (rev 193898)
@@ -1,5 +1,25 @@
 2015-12-10  Zan Dobersek  <[email protected]>
 
+        [TexMap] pixel coverage multiplication in TiledBackingStore can overflow
+        https://bugs.webkit.org/show_bug.cgi?id=152055
+
+        Reviewed by Carlos Garcia Campos.
+
+        The computation of the pixel coverage in TiledBackingStore can easily overflow
+        when the candidate size is relatively large (for instance when the backed
+        layer is transformed in a way that increases its perceived size). This can result
+        in missing tiles for this specific backing store, at least until the layer in
+        question is transformed again into a shape that produces a smaller candidate size.
+
+        To avoid the integer overflow, the multiplication is done in a safe manner,
+        defaulting to the max positive value an integer can hold in case the overflow
+        is detected.
+
+        * platform/graphics/texmap/coordinated/TiledBackingStore.cpp:
+        (WebCore::TiledBackingStore::adjustForContentsRect):
+
+2015-12-10  Zan Dobersek  <[email protected]>
+
         [TexMap] Clean up BitmapTexturePool
         https://bugs.webkit.org/show_bug.cgi?id=152073
 

Modified: trunk/Source/WebCore/platform/graphics/texmap/coordinated/TiledBackingStore.cpp (193897 => 193898)


--- trunk/Source/WebCore/platform/graphics/texmap/coordinated/TiledBackingStore.cpp	2015-12-10 10:23:06 UTC (rev 193897)
+++ trunk/Source/WebCore/platform/graphics/texmap/coordinated/TiledBackingStore.cpp	2015-12-10 10:24:55 UTC (rev 193898)
@@ -23,6 +23,7 @@
 #if USE(COORDINATED_GRAPHICS)
 #include "GraphicsContext.h"
 #include "TiledBackingStoreClient.h"
+#include <wtf/CheckedArithmetic.h>
 
 namespace WebCore {
 
@@ -269,7 +270,9 @@
         return;
 
     // Try to create a cover rect of the same size as the candidate, but within content bounds.
-    int pixelsCovered = candidateSize.width() * candidateSize.height();
+    int pixelsCovered = 0;
+    if (!WTF::safeMultiply(candidateSize.width(), candidateSize.height(), pixelsCovered))
+        pixelsCovered = std::numeric_limits<int>::max();
 
     if (rect.width() < candidateSize.width())
         rect.inflateY(((pixelsCovered / rect.width()) - rect.height()) / 2);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to