Diff
Modified: trunk/Source/WebCore/ChangeLog (237558 => 237559)
--- trunk/Source/WebCore/ChangeLog 2018-10-29 18:40:13 UTC (rev 237558)
+++ trunk/Source/WebCore/ChangeLog 2018-10-29 19:08:24 UTC (rev 237559)
@@ -1,3 +1,36 @@
+2018-10-29 Jer Noble <jer.no...@apple.com>
+
+ CRASH in CoreGraphics: ERROR_CGDataProvider_BufferIsNotBigEnough
+ https://bugs.webkit.org/show_bug.cgi?id=190954
+
+ Reviewed by Simon Fraser.
+
+ Crash analyitics show that WebProcess will crash in ERROR_CGDataProvider_BufferIsNotBigEnough,
+ which attempts to fetch the last byte in the image buffer in order to verify that the entire
+ buffer is readable. Unfortunately, the stack trace generated by this crash does not identify
+ what CGDataProvider is responsible for the not-big-enough buffer. In order to identify which
+ CGDataProvider created by WebKit is responsible (if any), we will add our own version of
+ ERROR_CGDataProvider_BufferIsNotBigEnough, called at CGDataProvider creation time, which should
+ generate a crash within the responsible stack frame.
+
+ (This assumes that the issue is the wrong sized buffer at CGDataProvider creation time, and not
+ that the buffer itself is reclaimed between creation time and access.)
+
+ * WebCore.xcodeproj/project.pbxproj:
+ * platform/graphics/cg/GraphicsContext3DCG.cpp:
+ (WebCore::GraphicsContext3D::paintToCanvas):
+ * platform/graphics/cg/ImageBufferCG.cpp:
+ (WebCore::ImageBuffer::ImageBuffer):
+ (WebCore::ImageBuffer::toCFData const):
+ (WebCore::cfData):
+ * platform/graphics/cocoa/WebGLLayer.mm:
+ (-[WebGLLayer copyImageSnapshotWithColorSpace:]):
+ * platform/graphics/cv/PixelBufferConformerCV.cpp:
+ (WebCore::CVPixelBufferGetBytePointerCallback):
+ (WebCore::PixelBufferConformerCV::createImageFromPixelBuffer):
+ * platform/graphics/cg/ImageUtilitiesCG.h: Added.
+ (WebCore::verifyImageBufferIsBigEnough):
+
2018-10-29 David Kilzer <ddkil...@apple.com>
Fix clang static analyzer warning in StyleBuilderConverter.h
Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (237558 => 237559)
--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2018-10-29 18:40:13 UTC (rev 237558)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2018-10-29 19:08:24 UTC (rev 237559)
@@ -4016,6 +4016,7 @@
CD3A495F17A9D01B00274E42 /* MediaSource.h in Headers */ = {isa = PBXBuildFile; fileRef = CD3A495617A9D01B00274E42 /* MediaSource.h */; };
CD3A496217A9D01B00274E42 /* SourceBuffer.h in Headers */ = {isa = PBXBuildFile; fileRef = CD3A495917A9D01B00274E42 /* SourceBuffer.h */; };
CD3A496517A9D01B00274E42 /* SourceBufferList.h in Headers */ = {isa = PBXBuildFile; fileRef = CD3A495C17A9D01B00274E42 /* SourceBufferList.h */; };
+ CD3E21DD2183444A00E66F55 /* ImageBufferUtilitiesCG.h in Headers */ = {isa = PBXBuildFile; fileRef = CD3E21DB21833F5100E66F55 /* ImageBufferUtilitiesCG.h */; settings = {ATTRIBUTES = (Private, ); }; };
CD3E251C18046B0600E27F56 /* GridArea.h in Headers */ = {isa = PBXBuildFile; fileRef = CD3E251B18046B0600E27F56 /* GridArea.h */; settings = {ATTRIBUTES = (Private, ); }; };
CD3E252418046BCD00E27F56 /* CSSGridTemplateAreasValue.h in Headers */ = {isa = PBXBuildFile; fileRef = CD3E252218046BCD00E27F56 /* CSSGridTemplateAreasValue.h */; };
CD4AC52A1496AE9A0087C4EF /* Composite.wav in Copy Audio Resources */ = {isa = PBXBuildFile; fileRef = CD4AC5281496AE2F0087C4EF /* Composite.wav */; };
@@ -4028,6 +4029,7 @@
CD54A763180F9F7000B076C9 /* AudioTrackPrivateMediaSourceAVFObjC.h in Headers */ = {isa = PBXBuildFile; fileRef = CD54A761180F9F7000B076C9 /* AudioTrackPrivateMediaSourceAVFObjC.h */; };
CD5596911475B678001D0BD0 /* AudioFileReaderIOS.cpp in Sources */ = {isa = PBXBuildFile; fileRef = CD55968F1475B678001D0BD0 /* AudioFileReaderIOS.cpp */; };
CD5596921475B678001D0BD0 /* AudioFileReaderIOS.h in Headers */ = {isa = PBXBuildFile; fileRef = CD5596901475B678001D0BD0 /* AudioFileReaderIOS.h */; };
+ CD58949521874064004F424A /* ImageBufferUtilitiesCG.cpp in Sources */ = {isa = PBXBuildFile; fileRef = CD58949321874064004F424A /* ImageBufferUtilitiesCG.cpp */; };
CD5896E21CD2B15100B3BCC8 /* WebPlaybackControlsManager.h in Headers */ = {isa = PBXBuildFile; fileRef = CD5896E01CD2B15100B3BCC8 /* WebPlaybackControlsManager.h */; settings = {ATTRIBUTES = (Private, ); }; };
CD5D27781E8318E000D80A3D /* WebCoreDecompressionSession.h in Headers */ = {isa = PBXBuildFile; fileRef = CD5D27761E8318E000D80A3D /* WebCoreDecompressionSession.h */; };
CD5E5B5F1A15CE54000C609E /* PageConfiguration.h in Headers */ = {isa = PBXBuildFile; fileRef = CD5E5B5E1A15CE54000C609E /* PageConfiguration.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -13342,6 +13344,7 @@
CD3A495B17A9D01B00274E42 /* SourceBufferList.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SourceBufferList.cpp; sourceTree = "<group>"; };
CD3A495C17A9D01B00274E42 /* SourceBufferList.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SourceBufferList.h; sourceTree = "<group>"; };
CD3A495D17A9D01B00274E42 /* SourceBufferList.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = SourceBufferList.idl; sourceTree = "<group>"; };
+ CD3E21DB21833F5100E66F55 /* ImageBufferUtilitiesCG.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ImageBufferUtilitiesCG.h; sourceTree = "<group>"; };
CD3E251B18046B0600E27F56 /* GridArea.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = GridArea.h; sourceTree = "<group>"; };
CD3E252118046BCD00E27F56 /* CSSGridTemplateAreasValue.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CSSGridTemplateAreasValue.cpp; sourceTree = "<group>"; };
CD3E252218046BCD00E27F56 /* CSSGridTemplateAreasValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CSSGridTemplateAreasValue.h; sourceTree = "<group>"; };
@@ -13360,6 +13363,7 @@
CD54DE4917469C6D005E5B36 /* AudioSessionMac.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = AudioSessionMac.cpp; sourceTree = "<group>"; };
CD55968F1475B678001D0BD0 /* AudioFileReaderIOS.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = AudioFileReaderIOS.cpp; sourceTree = "<group>"; };
CD5596901475B678001D0BD0 /* AudioFileReaderIOS.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AudioFileReaderIOS.h; sourceTree = "<group>"; };
+ CD58949321874064004F424A /* ImageBufferUtilitiesCG.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = ImageBufferUtilitiesCG.cpp; sourceTree = "<group>"; };
CD5896DF1CD2B15100B3BCC8 /* WebPlaybackControlsManager.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = WebPlaybackControlsManager.mm; sourceTree = "<group>"; };
CD5896E01CD2B15100B3BCC8 /* WebPlaybackControlsManager.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WebPlaybackControlsManager.h; sourceTree = "<group>"; };
CD5D27751E8318E000D80A3D /* WebCoreDecompressionSession.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = WebCoreDecompressionSession.mm; sourceTree = "<group>"; };
@@ -23895,6 +23899,8 @@
B2A10B930B3818D700099AA4 /* ImageBufferCG.cpp */,
2292B27B1356669400CF11EF /* ImageBufferDataCG.cpp */,
22BD9F80135364FE009BD102 /* ImageBufferDataCG.h */,
+ CD3E21DB21833F5100E66F55 /* ImageBufferUtilitiesCG.h */,
+ CD58949321874064004F424A /* ImageBufferUtilitiesCG.cpp */,
555B87EA1CAAF0AB00349425 /* ImageDecoderCG.cpp */,
555B87EB1CAAF0AB00349425 /* ImageDecoderCG.h */,
4B3480920EEF50D400AC1B41 /* ImageSourceCG.h */,
@@ -28824,6 +28830,7 @@
4B3480940EEF50D400AC1B41 /* ImageSourceCG.h in Headers */,
078ED193216D079500775B33 /* ImageTransferSessionVT.h in Headers */,
5550CB421E955E3C00111AA0 /* ImageTypes.h in Headers */,
+ CD3E21DD2183444A00E66F55 /* ImageBufferUtilitiesCG.h in Headers */,
26F756B31B3B66F70005DD79 /* ImmutableNFA.h in Headers */,
26F756B51B3B68F20005DD79 /* ImmutableNFANodeBuilder.h in Headers */,
316FE1180E6E1DA700BF6088 /* ImplicitAnimation.h in Headers */,
@@ -32644,6 +32651,7 @@
DE5F860A1FA2386A006DB63A /* UnifiedSource475.cpp in Sources */,
DE5F860B1FA2386A006DB63A /* UnifiedSource476.cpp in Sources */,
DE5F860C1FA2386A006DB63A /* UnifiedSource477.cpp in Sources */,
+ CD58949521874064004F424A /* ImageBufferUtilitiesCG.cpp in Sources */,
DE5F860D1FA2386B006DB63A /* UnifiedSource478.cpp in Sources */,
DE5F860E1FA2386B006DB63A /* UnifiedSource479.cpp in Sources */,
DE5F860F1FA2386B006DB63A /* UnifiedSource480.cpp in Sources */,
Modified: trunk/Source/WebCore/platform/graphics/cg/GraphicsContext3DCG.cpp (237558 => 237559)
--- trunk/Source/WebCore/platform/graphics/cg/GraphicsContext3DCG.cpp 2018-10-29 18:40:13 UTC (rev 237558)
+++ trunk/Source/WebCore/platform/graphics/cg/GraphicsContext3DCG.cpp 2018-10-29 19:08:24 UTC (rev 237559)
@@ -33,6 +33,7 @@
#include "BitmapImage.h"
#include "GraphicsContextCG.h"
#include "Image.h"
+#include "ImageBufferUtilitiesCG.h"
#if HAVE(ARM_NEON_INTRINSICS)
#include "GraphicsContext3DNEON.h"
@@ -514,10 +515,16 @@
return;
memcpy(copiedPixels, imagePixels, rowBytes * imageSize.height());
- dataProvider = adoptCF(CGDataProviderCreateWithData(0, copiedPixels, rowBytes * imageSize.height(), releaseImageData));
- } else
- dataProvider = adoptCF(CGDataProviderCreateWithData(0, imagePixels, rowBytes * imageSize.height(), 0));
+ size_t dataSize = rowBytes * imageSize.height();
+ verifyImageBufferIsBigEnough(copiedPixels, dataSize);
+ dataProvider = adoptCF(CGDataProviderCreateWithData(0, copiedPixels, dataSize, releaseImageData));
+ } else {
+ size_t dataSize = rowBytes * imageSize.height();
+ verifyImageBufferIsBigEnough(imagePixels, dataSize);
+ dataProvider = adoptCF(CGDataProviderCreateWithData(0, imagePixels, dataSize, 0));
+ }
+
RetainPtr<CGImageRef> cgImage = adoptCF(CGImageCreate(imageSize.width(), imageSize.height(), 8, 32, rowBytes, sRGBColorSpaceRef(), kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host,
dataProvider.get(), 0, false, kCGRenderingIntentDefault));
Modified: trunk/Source/WebCore/platform/graphics/cg/ImageBufferCG.cpp (237558 => 237559)
--- trunk/Source/WebCore/platform/graphics/cg/ImageBufferCG.cpp 2018-10-29 18:40:13 UTC (rev 237558)
+++ trunk/Source/WebCore/platform/graphics/cg/ImageBufferCG.cpp 2018-10-29 19:08:24 UTC (rev 237559)
@@ -33,6 +33,7 @@
#include "BitmapImage.h"
#include "GraphicsContext.h"
#include "GraphicsContextCG.h"
+#include "ImageBufferUtilitiesCG.h"
#include "ImageData.h"
#include "IntRect.h"
#include "MIMETypeRegistry.h"
@@ -180,6 +181,7 @@
fastFree(const_cast<void*>(data));
};
// Create a live image that wraps the data.
+ verifyImageBufferIsBigEnough(m_data.data, numBytes.unsafeGet());
m_data.dataProvider = adoptCF(CGDataProviderCreateWithData(0, m_data.data, numBytes.unsafeGet(), releaseImageData));
if (!cgContext)
@@ -544,6 +546,7 @@
return nullptr;
size_t dataSize = 4 * logicalSize().width() * logicalSize().height();
+ verifyImageBufferIsBigEnough(premultipliedData->data(), dataSize);
auto dataProvider = adoptCF(CGDataProviderCreateWithData(nullptr, premultipliedData->data(), dataSize, nullptr));
if (!dataProvider)
return nullptr;
@@ -605,6 +608,7 @@
data = ""
}
+ verifyImageBufferIsBigEnough(data, 4 * source.width() * source.height());
auto dataProvider = adoptCF(CGDataProviderCreateWithData(0, data, 4 * source.width() * source.height(), 0));
if (!dataProvider)
return nullptr;
Added: trunk/Source/WebCore/platform/graphics/cg/ImageBufferUtilitiesCG.cpp (0 => 237559)
--- trunk/Source/WebCore/platform/graphics/cg/ImageBufferUtilitiesCG.cpp (rev 0)
+++ trunk/Source/WebCore/platform/graphics/cg/ImageBufferUtilitiesCG.cpp 2018-10-29 19:08:24 UTC (rev 237559)
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "ImageBufferUtilitiesCG.h"
+
+#include <wtf/CheckedArithmetic.h>
+
+namespace WebCore {
+
+uint8_t verifyImageBufferIsBigEnough(const void* buffer, size_t bufferSize)
+{
+ RELEASE_ASSERT(bufferSize);
+
+ uintptr_t lastByte;
+ bool isSafe = WTF::safeAdd((uintptr_t)buffer, bufferSize - 1, lastByte);
+ RELEASE_ASSERT(isSafe);
+
+ return *(uint8_t*)lastByte;
+}
+
+}
Added: trunk/Source/WebCore/platform/graphics/cg/ImageBufferUtilitiesCG.h (0 => 237559)
--- trunk/Source/WebCore/platform/graphics/cg/ImageBufferUtilitiesCG.h (rev 0)
+++ trunk/Source/WebCore/platform/graphics/cg/ImageBufferUtilitiesCG.h 2018-10-29 19:08:24 UTC (rev 237559)
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+namespace WebCore {
+
+WEBCORE_EXPORT uint8_t verifyImageBufferIsBigEnough(const void* buffer, size_t bufferSize);
+
+}
Modified: trunk/Source/WebCore/platform/graphics/cocoa/WebGLLayer.mm (237558 => 237559)
--- trunk/Source/WebCore/platform/graphics/cocoa/WebGLLayer.mm 2018-10-29 18:40:13 UTC (rev 237558)
+++ trunk/Source/WebCore/platform/graphics/cocoa/WebGLLayer.mm 2018-10-29 19:08:24 UTC (rev 237559)
@@ -32,6 +32,7 @@
#import "GraphicsContextCG.h"
#import "GraphicsLayer.h"
#import "GraphicsLayerCA.h"
+#import "ImageBufferUtilitiesCG.h"
#import "PlatformCALayer.h"
#import <pal/spi/cocoa/QuartzCoreSPI.h>
#import <wtf/FastMalloc.h>
@@ -110,6 +111,7 @@
glPixelStorei(GL_PACK_ROW_LENGTH, rowBytes / 4);
glReadPixels(0, 0, width, height, GL_BGRA, GL_UNSIGNED_INT_8_8_8_8_REV, data);
+ WebCore::verifyImageBufferIsBigEnough((uint8_t*)data, dataSize);
CGDataProviderRef provider = CGDataProviderCreateWithData(0, data, dataSize, freeData);
CGImageRef image = CGImageCreate(width, height, 8, 32, rowBytes, imageColorSpace.get(),
kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host, provider, 0, true, kCGRenderingIntentDefault);
Modified: trunk/Source/WebCore/platform/graphics/cv/PixelBufferConformerCV.cpp (237558 => 237559)
--- trunk/Source/WebCore/platform/graphics/cv/PixelBufferConformerCV.cpp 2018-10-29 18:40:13 UTC (rev 237558)
+++ trunk/Source/WebCore/platform/graphics/cv/PixelBufferConformerCV.cpp 2018-10-29 19:08:24 UTC (rev 237559)
@@ -29,6 +29,7 @@
#if HAVE(CORE_VIDEO)
#include "GraphicsContextCG.h"
+#include "ImageBufferUtilitiesCG.h"
#include "Logging.h"
#include <wtf/SoftLinking.h>
@@ -82,6 +83,7 @@
++info->lockCount;
void* address = CVPixelBufferGetBaseAddress(info->pixelBuffer.get());
+ verifyImageBufferIsBigEnough(address, CVPixelBufferGetDataSize(info->pixelBuffer.get()));
RELEASE_LOG_INFO(Media, "CVPixelBufferGetBytePointerCallback() returning bytePointer: %p, size: %zu", address, CVPixelBufferGetDataSize(info->pixelBuffer.get()));
return address;
}
@@ -177,6 +179,10 @@
size_t bytesPerRow = CVPixelBufferGetBytesPerRow(buffer.get());
size_t byteLength = CVPixelBufferGetDataSize(buffer.get());
+ ASSERT(byteLength);
+ if (!byteLength)
+ return nullptr;
+
CVPixelBufferInfo* info = new CVPixelBufferInfo();
info->pixelBuffer = WTFMove(buffer);
info->lockCount = 0;
Modified: trunk/Source/WebKit/ChangeLog (237558 => 237559)
--- trunk/Source/WebKit/ChangeLog 2018-10-29 18:40:13 UTC (rev 237558)
+++ trunk/Source/WebKit/ChangeLog 2018-10-29 19:08:24 UTC (rev 237559)
@@ -1,3 +1,13 @@
+2018-10-29 Jer Noble <jer.no...@apple.com>
+
+ CRASH in CoreGraphics: ERROR_CGDataProvider_BufferIsNotBigEnough
+ https://bugs.webkit.org/show_bug.cgi?id=190954
+
+ Reviewed by Simon Fraser.
+
+ * Shared/cg/ShareableBitmapCG.cpp:
+ (WebKit::ShareableBitmap::makeCGImage):
+
2018-10-29 Youenn Fablet <you...@apple.com>
Guard H264 simulcast with a runtime flag
Modified: trunk/Source/WebKit/Shared/cg/ShareableBitmapCG.cpp (237558 => 237559)
--- trunk/Source/WebKit/Shared/cg/ShareableBitmapCG.cpp 2018-10-29 18:40:13 UTC (rev 237558)
+++ trunk/Source/WebKit/Shared/cg/ShareableBitmapCG.cpp 2018-10-29 19:08:24 UTC (rev 237559)
@@ -28,6 +28,7 @@
#include <WebCore/BitmapImage.h>
#include <WebCore/GraphicsContextCG.h>
+#include <WebCore/ImageBufferUtilitiesCG.h>
#include <WebCore/PlatformScreen.h>
#include <pal/spi/cg/CoreGraphicsSPI.h>
#include <pal/spi/cocoa/IOSurfaceSPI.h>
@@ -120,6 +121,7 @@
RetainPtr<CGImageRef> ShareableBitmap::makeCGImage()
{
ref(); // Balanced by deref in releaseDataProviderData.
+ verifyImageBufferIsBigEnough(data(), sizeInBytes());
RetainPtr<CGDataProvider> dataProvider = adoptCF(CGDataProviderCreateWithData(this, data(), sizeInBytes(), releaseDataProviderData));
return createCGImage(dataProvider.get());
}