Bug 1551745 - Check max size and fix overflow calculating canvas allocation size r=smaug
authorJon Coppeard <jcoppeard@mozilla.com>
Wed, 15 May 2019 15:34:30 +0100
changeset 474124 a0464187dbfa6b296752aeb9e34779ac1b85be77
parent 474123 c1b13e664eb4bf1e49d4dab83a9cf93a5277e4c3
child 474125 3b622e5dea3a9472380cce2d042e7f1bccb8d606
push id36023
push userncsoregi@mozilla.com
push dateThu, 16 May 2019 21:56:43 +0000
treeherdermozilla-central@786f094a30ae [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs1551745
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1551745 - Check max size and fix overflow calculating canvas allocation size r=smaug The patch changes the calculation for the allocation size associated with a canvas rendering context to return zero when the width or height are greater than allowed (this will result in an error when creating the target later on) and also if the size calculation overflows (which shouldn't normally happen given the previous check). Differential Revision: https://phabricator.services.mozilla.com/D31265
dom/canvas/CanvasRenderingContext2D.cpp
dom/canvas/crashtests/1551745.html
dom/canvas/crashtests/crashtests.list
--- a/dom/canvas/CanvasRenderingContext2D.cpp
+++ b/dom/canvas/CanvasRenderingContext2D.cpp
@@ -5650,13 +5650,26 @@ void CanvasPath::EnsurePathBuilder() con
 
   // if there is not pathbuilder, there must be a path
   MOZ_ASSERT(mPath);
   mPathBuilder = mPath->CopyToBuilder();
   mPath = nullptr;
 }
 
 size_t BindingJSObjectMallocBytes(CanvasRenderingContext2D* aContext) {
-  return aContext->GetWidth() * aContext->GetHeight() * 4;
+  int32_t width = aContext->GetWidth();
+  int32_t height = aContext->GetHeight();
+
+  int32_t max = gfxPrefs::MaxCanvasSize();
+  if (width > max || height > max) {
+    return 0;
+  }
+
+  CheckedInt<uint32_t> bytes = CheckedInt<uint32_t>(width) * height * 4;
+  if (!bytes.isValid()) {
+    return 0;
+  }
+
+  return bytes.value();
 }
 
 }  // namespace dom
 }  // namespace mozilla
new file mode 100644
--- /dev/null
+++ b/dom/canvas/crashtests/1551745.html
@@ -0,0 +1,9 @@
+<script>
+window.addEventListener('load', function() {
+  b.getContext('2d')
+  a.src = b.toDataURL('image/jpeg', 0.1)
+  b.setAttribute('width', 2684354)
+})
+</script>
+<img id='a' src='data:image/gif;base64,R0lGODlhAQABAIABAP///wAAACwAAAAAAQABAAACAkQBADs='/>
+<canvas id='b' height='800' width='800'></canvas>
--- a/dom/canvas/crashtests/crashtests.list
+++ b/dom/canvas/crashtests/crashtests.list
@@ -48,8 +48,10 @@ load 1305850.html
 load 1334366-1.html
 load 1334647-1.html
 load 1349067.html
 pref(gfx.offscreencanvas.enabled,true) load 1348976-1.html
 load 1357092.html
 load 1441613.html
 pref(gfx.offscreencanvas.enabled,true) load 1443671.html
 pref(gfx.offscreencanvas.enabled,true) load 1546390.html
+load 1549853.html
+load 1551745.html