Handle failed allocations for raster shapes

Code checks for the size when allocating a raster shape (for CSS shape-outside) but ASAN defeats this check by allocating more than the exact image size. Be robust to this case and other out-of-memory situations by handling failed allocations. R=fs@opera.com BUG=779366 Change-Id: I11b1f9baaac21d89044dbaa1d5ed6cd188ccc813 Reviewed-on: https://chromium-review.googlesource.com/749320Reviewed-by: Fredrik Söderquist <fs@opera.com> Commit-Queue: Stephen Chenney <schenney@chromium.org> Cr-Commit-Position: refs/heads/master@{#513251}

Handle failed allocations for raster shapes
Code checks for the size when allocating a raster shape (for CSS shape-outside) but ASAN defeats this check by allocating more than the exact image size. Be robust to this case and other out-of-memory situations by handling failed allocations. R=fs@opera.com BUG=779366 Change-Id: I11b1f9baaac21d89044dbaa1d5ed6cd188ccc813 Reviewed-on: https://chromium-review.googlesource.com/749320Reviewed-by: Fredrik Söderquist <fs@opera.com> Commit-Queue: Stephen Chenney <schenney@chromium.org> Cr-Commit-Position: refs/heads/master@{#513251}
b059a760 · Stephen Chenney · Commit Bot · ab1386fb · b059a760 · b059a760
Commit b059a760 authored Nov 01, 2017 by Stephen Chenney Committed by Commit Bot Nov 01, 2017
4 changed files
--- a/third_party/WebKit/LayoutTests/fast/shapes/crash-allocating-very-large-raster-shape-expected.txt
+++ b/third_party/WebKit/LayoutTests/fast/shapes/crash-allocating-very-large-raster-shape-expected.txt
+A
+B
+C
+D
+E
+F
+G
+H
+I
+KKKKKKKKKKKKKKKKKKKKKKKKK
+L
+M
--- a/third_party/WebKit/LayoutTests/fast/shapes/crash-allocating-very-large-raster-shape.html
+++ b/third_party/WebKit/LayoutTests/fast/shapes/crash-allocating-very-large-raster-shape.html
+<!-- Without the the associated fix, crashes only in Win 32 ASAN. -->
+<!-- The exact width of the column also matters. -->
+<script>
+  if (window.testRunner) {
+    testRunner.dumpAsText();
+  }
+</script>
+<style>
+  * {
+    /* Margin size is important. Just enough to crash but not enough to hit
+       the check for "too big to allocate an image"
+    */
+    margin: 41310px auto 90 auto; 
+    shape-outside: url("data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg'></svg>");
+  }
+</style>
+<body style="column-width:24em; column-gap:2em">
+  <div style="float:left;">
+    <div>A
+      <p>B
+        <p>C
+          <p>D
+            <p>E
+              <p>F
+                <p>G
+                  <p>H
+                    <p>I
+                      <p>KKKKKKKKKKKKKKKKKKKKKKKKK
+                        <p>L
+                          <p>M
+                          </p>
+                        </p>
+                      </p>
+                    </p>
+                  </p>
+                </p>
+              </p>
+            </p>
+          </p>
+        </p>
+      </p>
+    </div>
+  </div>
+</body>
--- a/third_party/WebKit/Source/core/layout/shapes/Shape.cpp
+++ b/third_party/WebKit/Source/core/layout/shapes/Shape.cpp
@@ -256,8 +256,10 @@ std::unique_ptr<Shape> Shape::CreateRasterShape(Image* image,
                Image::kDoNotClampImageToSourceRect, Image::kSyncDecode);
    WTF::ArrayBufferContents contents;
-    image_buffer->GetImageData(IntRect(IntPoint(), image_rect.Size()),
+    bool image_data_exists = image_buffer->GetImageData(
-                               contents);
+        IntRect(IntPoint(), image_rect.Size()), contents);
+    if (!image_data_exists)
+      return nullptr;
    DOMArrayBuffer* array_buffer = DOMArrayBuffer::Create(contents);
    DOMUint8ClampedArray* pixel_array = DOMUint8ClampedArray::Create(
        array_buffer, 0, array_buffer->ByteLength());

--- a/third_party/WebKit/Source/core/layout/shapes/ShapeOutsideInfo.cpp
+++ b/third_party/WebKit/Source/core/layout/shapes/ShapeOutsideInfo.cpp
@@ -172,9 +172,16 @@ std::unique_ptr<Shape> ShapeOutsideInfo::CreateShapeForImage(
      layout_box_, layout_box_.GetDocument(), layout_box_.StyleRef(),
      FlooredIntSize(image_size), nullptr);
-  return Shape::CreateRasterShape(image.get(), shape_image_threshold,
+  std::unique_ptr<Shape> new_shape =
-                                  image_rect, margin_rect, writing_mode,
+      Shape::CreateRasterShape(image.get(), shape_image_threshold, image_rect,
-                                  margin);
+                               margin_rect, writing_mode, margin);
+  if (!new_shape) {
+    layout_box_.GetDocument().AddConsoleMessage(
+        ConsoleMessage::Create(kRenderingMessageSource, kErrorMessageLevel,
+                               "The shape-outside image is too large."));
+    return Shape::CreateEmptyRasterShape(writing_mode, margin);
+  }
+  return new_shape;
 }
 const Shape& ShapeOutsideInfo::ComputedShape() const {