Make RecordingImageBufferSurface robust to int overflows

BUG=737448 Change-Id: I493919ce2ed8c4263b6b54684243b54bd38a2120 Reviewed-on: https://chromium-review.googlesource.com/567107Reviewed-by: Fernando Serboncini <fserb@chromium.org> Commit-Queue: Justin Novosad <junov@chromium.org> Cr-Commit-Position: refs/heads/master@{#486596}

Make RecordingImageBufferSurface robust to int overflows
BUG=737448 Change-Id: I493919ce2ed8c4263b6b54684243b54bd38a2120 Reviewed-on: https://chromium-review.googlesource.com/567107Reviewed-by: Fernando Serboncini <fserb@chromium.org> Commit-Queue: Justin Novosad <junov@chromium.org> Cr-Commit-Position: refs/heads/master@{#486596}
933bab4b · Justin Novosad · Commit Bot · bdd28407 · 933bab4b
Commit 933bab4b authored Jul 14, 2017 by Justin Novosad Committed by Commit Bot Jul 14, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 7 deletions

third_party/WebKit/Source/platform/graphics/RecordingImageBufferSurface.cpp .../Source/platform/graphics/RecordingImageBufferSurface.cpp +15 -7

No files found.
--- a/third_party/WebKit/Source/platform/graphics/RecordingImageBufferSurface.cpp
+++ b/third_party/WebKit/Source/platform/graphics/RecordingImageBufferSurface.cpp
@@ -13,6 +13,7 @@
 #include "platform/graphics/ImageBuffer.h"
 #include "platform/graphics/UnacceleratedImageBufferSurface.h"
 #include "platform/graphics/paint/PaintRecorder.h"
+#include "platform/wtf/CheckedNumeric.h"
 #include "platform/wtf/PassRefPtr.h"
 #include "platform/wtf/PtrUtil.h"

@@ -305,7 +306,11 @@ void RecordingImageBufferSurface::WillOverwriteCanvas() {
 void RecordingImageBufferSurface::DidDraw(const FloatRect& rect) {
  did_record_draw_commands_in_current_frame_ = true;
  IntRect pixel_bounds = EnclosingIntRect(rect);
-  current_frame_pixel_count_ += pixel_bounds.Width() * pixel_bounds.Height();
+  CheckedNumeric<int> pixel_count = pixel_bounds.Width();
+  pixel_count *= pixel_bounds.Height();
+  pixel_count += current_frame_pixel_count_;
+  current_frame_pixel_count_ =
+      pixel_count.ValueOrDefault(std::numeric_limits<int>::max());
 }

 bool RecordingImageBufferSurface::FinalizeFrameInternal(
@@ -369,13 +374,18 @@ bool RecordingImageBufferSurface::IsExpensiveToPaint() {
  if (fallback_surface_)
    return fallback_surface_->IsExpensiveToPaint();

+  CheckedNumeric<int> overdraw_limit_checked = size().Width();
+  overdraw_limit_checked *= size().Height();
+  overdraw_limit_checked *=
+      CanvasHeuristicParameters::kExpensiveOverdrawThreshold;
+  int overdraw_limit =
+      overdraw_limit_checked.ValueOrDefault(std::numeric_limits<int>::max());
+
  if (did_record_draw_commands_in_current_frame_) {
    if (current_frame_has_expensive_op_)
      return true;

-    if (current_frame_pixel_count_ >=
-        (size().Width() * size().Height() *
-         CanvasHeuristicParameters::kExpensiveOverdrawThreshold))
+    if (current_frame_pixel_count_ >= overdraw_limit)
      return true;

    if (frame_was_cleared_)
@@ -386,9 +396,7 @@ bool RecordingImageBufferSurface::IsExpensiveToPaint() {
    if (previous_frame_has_expensive_op_)
      return true;

-    if (previous_frame_pixel_count_ >=
-        (size().Width() * size().Height() *
-         CanvasHeuristicParameters::kExpensiveOverdrawThreshold))
+    if (previous_frame_pixel_count_ >= overdraw_limit)
      return true;
  }