Prevent integer overlow on getImageData

BUG=708165,708044,708961 Review-Url: https://codereview.chromium.org/2797333002 Cr-Commit-Position: refs/heads/master@{#462989}

Prevent integer overlow on getImageData
BUG=708165,708044,708961 Review-Url: https://codereview.chromium.org/2797333002 Cr-Commit-Position: refs/heads/master@{#462989}
27458c3a · fserb · Commit bot · f5fa6d69 · 27458c3a
Commit 27458c3a authored Apr 07, 2017 by fserb Committed by Commit bot Apr 07, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 1 deletion

third_party/WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp ...WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp +16 -1

No files found.
--- a/third_party/WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp
+++ b/third_party/WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp
@@ -31,6 +31,7 @@
 #include "platform/graphics/paint/PaintCanvas.h"
 #include "platform/graphics/paint/PaintFlags.h"
 #include "platform/graphics/skia/SkiaUtils.h"
+#include "platform/wtf/CheckedNumeric.h"

 namespace blink {

@@ -1530,6 +1531,11 @@ ImageData* BaseRenderingContext2D::getImageData(
    int sw,
    int sh,
    ExceptionState& exceptionState) const {
+  if (!WTF::CheckMul(sw, sh).IsValid<int>()) {
+    exceptionState.throwRangeError("Out of memory at ImageData creation");
+    return nullptr;
+  }
+
  m_usageCounters.numGetImageDataCalls++;
  m_usageCounters.areaGetImageDataCalls += sw * sh;
  if (!originClean())
@@ -1552,6 +1558,12 @@ ImageData* BaseRenderingContext2D::getImageData(
    sh = -sh;
  }

+  if (!WTF::CheckAdd(sx, sw).IsValid<int>() ||
+      !WTF::CheckAdd(sy, sh).IsValid<int>()) {
+    exceptionState.throwRangeError("Out of memory at ImageData creation");
+    return nullptr;
+  }
+
  Optional<ScopedUsHistogramTimer> timer;
  if (imageBuffer() && imageBuffer()->isAccelerated()) {
    DEFINE_THREAD_SAFE_STATIC_LOCAL(
@@ -1574,7 +1586,6 @@ ImageData* BaseRenderingContext2D::getImageData(
  }

  IntRect imageDataRect(sx, sy, sw, sh);
-  DVLOG(1) << sx << ", " << sy << ", " << sw << ", " << sh;
  ImageBuffer* buffer = imageBuffer();
  if (!buffer || isContextLost()) {
    ImageData* result = ImageData::create(imageDataRect.size());
@@ -1611,6 +1622,10 @@ void BaseRenderingContext2D::putImageData(ImageData* data,
                                          int dirtyWidth,
                                          int dirtyHeight,
                                          ExceptionState& exceptionState) {
+  if (!WTF::CheckMul(dirtyWidth, dirtyHeight).IsValid<int>()) {
+    return;
+  }
+
  m_usageCounters.numPutImageDataCalls++;
  m_usageCounters.areaPutImageDataCalls += dirtyWidth * dirtyHeight;
  if (data->data()->bufferBase()->isNeutered()) {