Bug 1348936 - Fix BasicPlanarYCbCrImage::CopyData() r=nical a=gchang
authorsotaro <sotaro.ikeda.g@gmail.com>
Wed, 05 Apr 2017 11:45:13 +0900
changeset 395770 011ddbeca97ee047a6abf33e01930f3c73f97ccd
parent 395769 f7f8d7181cfb25e2d1e6efc3bd3a4466da475abb
child 395771 5dc8f5c5ff0dbb2ee53a1245d2dd48d53732f0fc
push id1468
push userasasaki@mozilla.com
push dateMon, 05 Jun 2017 19:31:07 +0000
treeherdermozilla-release@0641fc6ee9d1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnical, gchang
bugs1348936
milestone54.0a2
Bug 1348936 - Fix BasicPlanarYCbCrImage::CopyData() r=nical a=gchang
gfx/layers/basic/BasicImages.cpp
--- a/gfx/layers/basic/BasicImages.cpp
+++ b/gfx/layers/basic/BasicImages.cpp
@@ -6,16 +6,17 @@
 #include <stdint.h>                     // for uint8_t, uint32_t
 #include "BasicLayers.h"                // for BasicLayerManager
 #include "ImageContainer.h"             // for PlanarYCbCrImage, etc
 #include "ImageTypes.h"                 // for ImageFormat, etc
 #include "cairo.h"                      // for cairo_user_data_key_t
 #include "gfxASurface.h"                // for gfxASurface, etc
 #include "gfxPlatform.h"                // for gfxPlatform, gfxImageFormat
 #include "gfxUtils.h"                   // for gfxUtils
+#include "mozilla/CheckedInt.h"
 #include "mozilla/mozalloc.h"           // for operator delete[], etc
 #include "mozilla/RefPtr.h"
 #include "mozilla/UniquePtr.h"
 #include "nsAutoRef.h"                  // for nsCountedRef
 #include "nsCOMPtr.h"                   // for already_AddRefed
 #include "nsDebug.h"                    // for NS_ERROR, NS_ASSERTION
 #include "nsISupportsImpl.h"            // for Image::Release, etc
 #include "nsThreadUtils.h"              // for NS_IsMainThread
@@ -106,17 +107,23 @@ BasicPlanarYCbCrImage::CopyData(const Da
   if (size.width > PlanarYCbCrImage::MAX_DIMENSION ||
       size.height > PlanarYCbCrImage::MAX_DIMENSION) {
     NS_ERROR("Illegal image dest width or height");
     return false;
   }
 
   gfxImageFormat iFormat = gfx::SurfaceFormatToImageFormat(format);
   mStride = gfxASurface::FormatStrideForWidth(iFormat, size.width);
-  mDecodedBuffer = AllocateBuffer(size.height * mStride);
+  mozilla::CheckedInt32 requiredBytes =
+    mozilla::CheckedInt32(size.height) * mozilla::CheckedInt32(mStride);
+  if (!requiredBytes.isValid()) {
+    // invalid size
+    return false;
+  }
+  mDecodedBuffer = AllocateBuffer(requiredBytes.value());
   if (!mDecodedBuffer) {
     // out of memory
     return false;
   }
 
   gfx::ConvertYCbCrToRGB(aData, format, size, mDecodedBuffer.get(), mStride);
   SetOffscreenFormat(iFormat);
   mSize = size;