Bug 1225381 - ensure mozCurrentTransform is finite. r=jmuizelaar
authorLee Salzman <lsalzman@mozilla.com>
Tue, 17 Nov 2015 12:35:10 -0500
changeset 273245 697b9868015060ed5f6076e00e68a1d00f5fb362
parent 273244 7871c4b94e6df085ac216ba7a9bd02d9b8281b70
child 273246 71e3707ea64467cb9bbe22a61548fced2e1218dd
push id68231
push usercbook@mozilla.com
push dateThu, 19 Nov 2015 09:51:26 +0000
treeherdermozilla-inbound@71e3707ea644 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjmuizelaar
bugs1225381
milestone45.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1225381 - ensure mozCurrentTransform is finite. r=jmuizelaar
dom/canvas/CanvasRenderingContext2D.cpp
dom/canvas/crashtests/1225381-1.html
dom/canvas/crashtests/crashtests.list
--- a/dom/canvas/CanvasRenderingContext2D.cpp
+++ b/dom/canvas/CanvasRenderingContext2D.cpp
@@ -1891,17 +1891,17 @@ CanvasRenderingContext2D::SetMozCurrentT
 {
   EnsureTarget();
   if (!IsTargetValid()) {
     error.Throw(NS_ERROR_FAILURE);
     return;
   }
 
   Matrix newCTM;
-  if (ObjectToMatrix(cx, currentTransform, newCTM, error)) {
+  if (ObjectToMatrix(cx, currentTransform, newCTM, error) && newCTM.IsFinite()) {
     mTarget->SetTransform(newCTM);
   }
 }
 
 void
 CanvasRenderingContext2D::GetMozCurrentTransform(JSContext* cx,
                                                  JS::MutableHandle<JSObject*> result,
                                                  ErrorResult& error) const
@@ -1919,17 +1919,17 @@ CanvasRenderingContext2D::SetMozCurrentT
   if (!IsTargetValid()) {
     error.Throw(NS_ERROR_FAILURE);
     return;
   }
 
   Matrix newCTMInverse;
   if (ObjectToMatrix(cx, currentTransform, newCTMInverse, error)) {
     // XXX ERRMSG we need to report an error to developers here! (bug 329026)
-    if (newCTMInverse.Invert()) {
+    if (newCTMInverse.Invert() && newCTMInverse.IsFinite()) {
       mTarget->SetTransform(newCTMInverse);
     }
   }
 }
 
 void
 CanvasRenderingContext2D::GetMozCurrentTransformInverse(JSContext* cx,
                                                         JS::MutableHandle<JSObject*> result,
new file mode 100644
--- /dev/null
+++ b/dom/canvas/crashtests/1225381-1.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<script>
+
+function boom() {
+    var canvas = document.createElement('canvas');
+    var ctx = canvas.getContext('2d');
+    ctx.mozCurrentTransformInverse = [32, -1, 0.8320478957221024, 1.7976931348623157e+308, 512, 0.9012573524148337];
+    ctx.fillText("A", 0 ,0);
+}
+
+</script>
+</head>
+<body onload="boom();"></body>
+</html>
--- a/dom/canvas/crashtests/crashtests.list
+++ b/dom/canvas/crashtests/crashtests.list
@@ -18,9 +18,10 @@ load 802926-1.html
 load 896047-1.html
 load 896047-2.html
 load 916128-1.html
 load 934939-1.html
 load 1099143-1.html
 load 1161277-1.html
 load 1183363.html
 load 1190705.html
+load 1225381-1.html
 load texImage2D.html