Bug 1272123 - Limit the size of CanvasRenderingContext2D::mStyleStack. r=mstange, a=ritu
authorEdwin Flores <eflores@mozilla.com>
Wed, 17 Aug 2016 09:26:11 +0100
changeset 350214 19ba3c80b6f3b6473340af6b6eb4c1ddee14990a
parent 350213 648df5f64606195b069754bccfaba43a58e175c4
child 350215 3c621f8c782957aeda376304afe884139b7ee49a
push id1230
push userjlund@mozilla.com
push dateMon, 31 Oct 2016 18:13:35 +0000
treeherdermozilla-release@5e06e3766db2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmstange, ritu
bugs1272123
milestone50.0a2
Bug 1272123 - Limit the size of CanvasRenderingContext2D::mStyleStack. r=mstange, a=ritu
dom/canvas/CanvasRenderingContext2D.cpp
--- a/dom/canvas/CanvasRenderingContext2D.cpp
+++ b/dom/canvas/CanvasRenderingContext2D.cpp
@@ -156,16 +156,18 @@ using namespace mozilla::ipc;
 using namespace mozilla::layers;
 
 namespace mozilla {
 namespace dom {
 
 // Cap sigma to avoid overly large temp surfaces.
 const Float SIGMA_MAX = 100;
 
+const size_t MAX_STYLE_STACK_SIZE = 1024;
+
 /* Memory reporter stuff */
 static int64_t gCanvasAzureMemoryUsed = 0;
 
 // This is KIND_OTHER because it's not always clear where in memory the pixels
 // of a canvas are stored.  Furthermore, this memory will be tracked by the
 // underlying surface implementations.  See bug 655638 for details.
 class Canvas2dPixelsReporter final : public nsIMemoryReporter
 {
@@ -1949,16 +1951,22 @@ CanvasRenderingContext2D::GetSurfaceForm
 
 void
 CanvasRenderingContext2D::Save()
 {
   EnsureTarget();
   mStyleStack[mStyleStack.Length() - 1].transform = mTarget->GetTransform();
   mStyleStack.SetCapacity(mStyleStack.Length() + 1);
   mStyleStack.AppendElement(CurrentState());
+
+  if (mStyleStack.Length() > MAX_STYLE_STACK_SIZE) {
+    // This is not fast, but is better than OOMing and shouldn't be hit by
+    // reasonable code.
+    mStyleStack.RemoveElementAt(0);
+  }
 }
 
 void
 CanvasRenderingContext2D::Restore()
 {
   if (mStyleStack.Length() - 1 == 0)
     return;