Diff
Modified: branches/safari-534.51-branch/LayoutTests/ChangeLog (91602 => 91603)
--- branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-07-22 20:49:49 UTC (rev 91602)
+++ branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-07-22 20:51:03 UTC (rev 91603)
@@ -1,5 +1,19 @@
2011-07-22 Lucas Forschler <lforsch...@apple.com>
+ Merged 87171.
+
+ 2011-05-24 Matthew Delaney <mdela...@apple.com>
+
+ Reviewed by Simon Fraser.
+
+ Clamp coordinates to integers for canvas create/getImageData routines
+ https://bugs.webkit.org/show_bug.cgi?id=61135
+
+ * fast/canvas/canvas-getImageData-largeNonintegralDimensions-expected.txt: Added.
+ * fast/canvas/canvas-getImageData-largeNonintegralDimensions.html: Added.
+
+2011-07-22 Lucas Forschler <lforsch...@apple.com>
+
Merged 91066.
2011-07-15 Jeff Miller <je...@apple.com>
Copied: branches/safari-534.51-branch/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions-expected.txt (from rev 87171, trunk/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions-expected.txt) (0 => 91603)
--- branches/safari-534.51-branch/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions-expected.txt (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions-expected.txt 2011-07-22 20:51:03 UTC (rev 91603)
@@ -0,0 +1 @@
+PASS!
Copied: branches/safari-534.51-branch/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions.html (from rev 87171, trunk/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions.html) (0 => 91603)
--- branches/safari-534.51-branch/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions.html (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/canvas/canvas-getImageData-largeNonintegralDimensions.html 2011-07-22 20:51:03 UTC (rev 91603)
@@ -0,0 +1,11 @@
+<html>
+PASS!
+<script>
+if (window.layoutTestController)
+ window.layoutTestController.dumpAsText();
+
+var canvas = document.createElement("canvas");
+var ctx = canvas.getContext("2d");
+ctx.getImageData(100.5, 2147483647.5, -2048.5, -2048.5);
+</script>
+</html>
Modified: branches/safari-534.51-branch/Source/WebCore/ChangeLog (91602 => 91603)
--- branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-07-22 20:49:49 UTC (rev 91602)
+++ branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-07-22 20:51:03 UTC (rev 91603)
@@ -1,5 +1,26 @@
2011-07-22 Lucas Forschler <lforsch...@apple.com>
+ Merged 87171.
+
+ 2011-05-24 Matthew Delaney <mdela...@apple.com>
+
+ Reviewed by Simon Fraser.
+
+ Clamp coordinates to integers for canvas create/getImageData routines
+ https://bugs.webkit.org/show_bug.cgi?id=61135
+
+ Test: fast/canvas/canvas-getImageData-largeNonintegralDimensions.html
+
+ * html/HTMLCanvasElement.cpp:
+ (WebCore::HTMLCanvasElement::convertLogicalToDevice): clamp to ints
+ * html/canvas/CanvasRenderingContext2D.cpp:
+ (WebCore::CanvasRenderingContext2D::createImageData):
+ (WebCore::CanvasRenderingContext2D::getImageData):
+ * platform/graphics/cg/ImageBufferDataCG.cpp:
+ (WebCore::ImageBufferData::getData):
+
+2011-07-22 Lucas Forschler <lforsch...@apple.com>
+
Merged 87103.
2011-05-23 Matthew Delaney <mdela...@apple.com>
Modified: branches/safari-534.51-branch/Source/WebCore/html/HTMLCanvasElement.cpp (91602 => 91603)
--- branches/safari-534.51-branch/Source/WebCore/html/HTMLCanvasElement.cpp 2011-07-22 20:49:49 UTC (rev 91602)
+++ branches/safari-534.51-branch/Source/WebCore/html/HTMLCanvasElement.cpp 2011-07-22 20:51:03 UTC (rev 91603)
@@ -373,17 +373,21 @@
IntRect HTMLCanvasElement::convertLogicalToDevice(const FloatRect& logicalRect) const
{
- float left = floorf(logicalRect.x() * m_pageScaleFactor);
- float top = floorf(logicalRect.y() * m_pageScaleFactor);
- float right = ceilf(logicalRect.maxX() * m_pageScaleFactor);
- float bottom = ceilf(logicalRect.maxY() * m_pageScaleFactor);
-
+ // Prevent under/overflow by ensuring the rect's bounds stay within integer-expressible range
+ int left = clampToInteger(floorf(logicalRect.x() * m_pageScaleFactor));
+ int top = clampToInteger(floorf(logicalRect.y() * m_pageScaleFactor));
+ int right = clampToInteger(ceilf(logicalRect.maxX() * m_pageScaleFactor));
+ int bottom = clampToInteger(ceilf(logicalRect.maxY() * m_pageScaleFactor));
+
return IntRect(IntPoint(left, top), convertToValidDeviceSize(right - left, bottom - top));
}
IntSize HTMLCanvasElement::convertLogicalToDevice(const FloatSize& logicalSize) const
{
- return convertToValidDeviceSize(logicalSize.width() * m_pageScaleFactor, logicalSize.height() * m_pageScaleFactor);
+ // Prevent overflow by ensuring the rect's bounds stay within integer-expressible range
+ float width = clampToInteger(ceilf(logicalSize.width() * m_pageScaleFactor));
+ float height = clampToInteger(ceilf(logicalSize.height() * m_pageScaleFactor));
+ return convertToValidDeviceSize(width, height);
}
IntSize HTMLCanvasElement::convertToValidDeviceSize(float width, float height) const
Modified: branches/safari-534.51-branch/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp (91602 => 91603)
--- branches/safari-534.51-branch/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp 2011-07-22 20:49:49 UTC (rev 91602)
+++ branches/safari-534.51-branch/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp 2011-07-22 20:51:03 UTC (rev 91603)
@@ -1657,6 +1657,10 @@
if (scaledSize.height() < 1)
scaledSize.setHeight(1);
+ float area = 4.0f * scaledSize.width() * scaledSize.height();
+ if (area > static_cast<float>(std::numeric_limits<int>::max()))
+ return 0;
+
return createEmptyImageData(scaledSize);
}
@@ -1693,7 +1697,12 @@
ImageBuffer* buffer = canvas()->buffer();
if (!buffer)
return createEmptyImageData(scaledRect.size());
- return ImageData::create(scaledRect.size(), buffer->getUnmultipliedImageData(scaledRect));
+
+ RefPtr<ByteArray> byteArray = buffer->getUnmultipliedImageData(scaledRect);
+ if (!byteArray)
+ return 0;
+
+ return ImageData::create(scaledRect.size(), byteArray.release());
}
void CanvasRenderingContext2D::putImageData(ImageData* data, float dx, float dy, ExceptionCode& ec)
Modified: branches/safari-534.51-branch/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp (91602 => 91603)
--- branches/safari-534.51-branch/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp 2011-07-22 20:49:49 UTC (rev 91602)
+++ branches/safari-534.51-branch/Source/WebCore/platform/graphics/cg/ImageBufferDataCG.cpp 2011-07-22 20:51:03 UTC (rev 91603)
@@ -110,6 +110,10 @@
PassRefPtr<ByteArray> ImageBufferData::getData(const IntRect& rect, const IntSize& size, bool accelerateRendering, bool unmultiplied) const
{
+ float area = 4.0f * rect.width() * rect.height();
+ if (area > static_cast<float>(std::numeric_limits<int>::max()))
+ return 0;
+
RefPtr<ByteArray> result = ByteArray::create(rect.width() * rect.height() * 4);
unsigned char* data = ""
