Bug 1294677 - Check for large image sizes. r=jrmuizel, a=abillings
authorMilan Sreckovic <milan@mozilla.com>
Wed, 24 Aug 2016 22:14:02 -0400
changeset 349927 b0b52bebfd3dff0705f0efddc1d0827144eb1e21
parent 349926 e851620e760b9cd4171da96fb67ed929bbe1431e
child 349928 5e9947ac9881a64256dd518ec8352f206fd0e68a
push id1230
push userjlund@mozilla.com
push dateMon, 31 Oct 2016 18:13:35 +0000
treeherdermozilla-release@5e06e3766db2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjrmuizel, abillings
bugs1294677
milestone50.0a2
Bug 1294677 - Check for large image sizes. r=jrmuizel, a=abillings
dom/base/ImageEncoder.cpp
--- a/dom/base/ImageEncoder.cpp
+++ b/dom/base/ImageEncoder.cpp
@@ -431,16 +431,22 @@ ImageEncoder::ExtractDataInternal(const 
                                   aOptions);
       dataSurface->Unmap();
     }
 
     if (NS_SUCCEEDED(rv)) {
       imgStream = do_QueryInterface(aEncoder);
     }
   } else {
+    CheckedInt32 requiredBytes = CheckedInt32(aSize.width) * CheckedInt32(aSize.height) * 4;
+    if (MOZ_UNLIKELY(!requiredBytes.isValid())) {
+      return NS_ERROR_INVALID_ARG;
+    }
+
+
     // no context, so we have to encode an empty image
     // note that if we didn't have a current context, the spec says we're
     // supposed to just return transparent black pixels of the canvas
     // dimensions.
     RefPtr<DataSourceSurface> emptyCanvas =
       Factory::CreateDataSourceSurfaceWithStride(IntSize(aSize.width, aSize.height),
                                                  SurfaceFormat::B8G8R8A8,
                                                  4 * aSize.width, true);