[canvas] Add overflow check in the ImageData constructor

We saw this issue in another CL. R=haraken@chromium.org Change-Id: Ib1bd74d8df9de318430970d7c36e0b18f42e37bb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1936489Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#719130}

[canvas] Add overflow check in the ImageData constructor
We saw this issue in another CL. R=haraken@chromium.org Change-Id: Ib1bd74d8df9de318430970d7c36e0b18f42e37bb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1936489Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#719130}
61a7f8a5 · Andreas Haas · Commit Bot · ff3de9d7 · 61a7f8a5
Commit 61a7f8a5 authored Nov 26, 2019 by Andreas Haas Committed by Commit Bot Nov 26, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 6 deletions

third_party/blink/renderer/core/html/canvas/image_data.cc third_party/blink/renderer/core/html/canvas/image_data.cc +9 -6

No files found.
--- a/third_party/blink/renderer/core/html/canvas/image_data.cc
+++ b/third_party/blink/renderer/core/html/canvas/image_data.cc
@@ -882,8 +882,9 @@ ImageData::ImageData(const IntSize& size,
          static_cast<const DOMUint8ClampedArray*>(data));
      DCHECK(data_);
      data_union_.SetUint8ClampedArray(data_);
-      SECURITY_CHECK(static_cast<size_t>(size.Width() * size.Height() * 4) <=
+      SECURITY_CHECK(
-                     data_->lengthAsSizeT());
+          (base::CheckedNumeric<size_t>(size.Width()) * size.Height() * 4)
+              .ValueOrDie() <= data_->lengthAsSizeT());
      break;
    case kUint16ArrayStorageFormat:
@@ -892,8 +893,9 @@ ImageData::ImageData(const IntSize& size,
          const_cast<DOMUint16Array*>(static_cast<const DOMUint16Array*>(data));
      DCHECK(data_u16_);
      data_union_.SetUint16Array(data_u16_);
-      SECURITY_CHECK(static_cast<size_t>(size.Width() * size.Height() * 4) <=
+      SECURITY_CHECK(
-                     data_u16_->lengthAsSizeT());
+          (base::CheckedNumeric<size_t>(size.Width()) * size.Height() * 4)
+              .ValueOrDie() <= data_u16_->lengthAsSizeT());
      break;
    case kFloat32ArrayStorageFormat:
@@ -902,8 +904,9 @@ ImageData::ImageData(const IntSize& size,
          static_cast<const DOMFloat32Array*>(data));
      DCHECK(data_f32_);
      data_union_.SetFloat32Array(data_f32_);
-      SECURITY_CHECK(static_cast<size_t>(size.Width() * size.Height() * 4) <=
+      SECURITY_CHECK(
-                     data_f32_->lengthAsSizeT());
+          (base::CheckedNumeric<size_t>(size.Width()) * size.Height() * 4)
+              .ValueOrDie() <= data_f32_->lengthAsSizeT());
      break;
    default: