Diff
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2016-12-28 10:28:40 UTC (rev 210193)
@@ -1,3 +1,69 @@
+2016-10-21 David Kilzer <[email protected]>
+
+ Bug 163762: IntSize::area() should used checked arithmetic
+ <https://webkit.org/b/163762>
+
+ Reviewed by Darin Adler.
+
+ No new tests since no change in nominal behavior.
+
+ * platform/graphics/IntSize.h:
+ (WebCore::IntSize::area): Change to return a
+ Checked<unsigned, T> value. Use WTF:: namespace to avoid
+ including another header.
+
+ * platform/graphics/IntRect.h:
+ (WebCore::IntRect::area): Ditto.
+
+ The remaining changes are to use the Checked<unsigned> return
+ value of IntSize::area() and IntRect::area() correctly in
+ context, in addition to items noted below.
+
+ * html/HTMLPlugInImageElement.cpp:
+ (WebCore::HTMLPlugInImageElement::isTopLevelFullPagePlugin):
+ Declare contentWidth and contentHeight as float values to
+ prevent overflow when computing the area, and to make the
+ inequality comparison in the return statement uses the same type
+ for both sides.
+ * html/ImageData.cpp:
+ (WebCore::ImageData::ImageData):
+ * html/MediaElementSession.cpp:
+ (WebCore::isElementRectMostlyInMainFrame):
+ * platform/graphics/ImageBackingStore.h:
+ (WebCore::ImageBackingStore::setSize): Restructure logic to
+ compute area only once.
+ (WebCore::ImageBackingStore::clear):
+ * platform/graphics/ImageFrame.h:
+ (WebCore::ImageFrame::frameBytes):
+ * platform/graphics/ImageSource.cpp:
+ (WebCore::ImageSource::maximumSubsamplingLevel):
+ * platform/graphics/ca/LayerPool.cpp:
+ (WebCore::LayerPool::backingStoreBytesForSize):
+ * platform/graphics/cg/ImageDecoderCG.cpp:
+ (WebCore::ImageDecoder::frameBytesAtIndex):
+ * platform/graphics/filters/FEGaussianBlur.cpp:
+ (WebCore::FEGaussianBlur::platformApplySoftware):
+ * platform/graphics/filters/FilterEffect.cpp:
+ (WebCore::FilterEffect::asUnmultipliedImage):
+ (WebCore::FilterEffect::asPremultipliedImage):
+ (WebCore::FilterEffect::copyUnmultipliedImage):
+ (WebCore::FilterEffect::copyPremultipliedImage):
+ (WebCore::FilterEffect::createUnmultipliedImageResult):
+ (WebCore::FilterEffect::createPremultipliedImageResult):
+ * platform/graphics/win/ImageBufferDataDirect2D.cpp:
+ (WebCore::ImageBufferData::getData): Update overflow check,
+ rename local variable to numBytes, and compute numBytes once.
+ * platform/graphics/win/ImageDecoderDirect2D.cpp:
+ (WebCore::ImageDecoder::frameBytesAtIndex):
+ * platform/image-decoders/ImageDecoder.cpp:
+ (WebCore::ImageDecoder::frameBytesAtIndex):
+ * platform/ios/LegacyTileLayerPool.mm:
+ (WebCore::LegacyTileLayerPool::bytesBackingLayerWithPixelSize):
+ * rendering/RenderLayerCompositor.cpp:
+ (WebCore::RenderLayerCompositor::requiresCompositingForCanvas):
+ * rendering/shapes/Shape.cpp:
+ (WebCore::Shape::createRasterShape):
+
2016-10-20 Dean Jackson <[email protected]>
SVG should not paint selection within a mask
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLPlugInImageElement.cpp (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLPlugInImageElement.cpp 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/html/HTMLPlugInImageElement.cpp 2016-12-28 10:28:40 UTC (rev 210193)
@@ -587,9 +587,9 @@
auto& style = renderer.style();
IntSize visibleSize = frame.view()->visibleSize();
LayoutRect contentRect = renderer.contentBoxRect();
- int contentWidth = contentRect.width();
- int contentHeight = contentRect.height();
- return is100Percent(style.width()) && is100Percent(style.height()) && contentWidth * contentHeight > visibleSize.area() * sizingFullPageAreaRatioThreshold;
+ float contentWidth = contentRect.width();
+ float contentHeight = contentRect.height();
+ return is100Percent(style.width()) && is100Percent(style.height()) && contentWidth * contentHeight > visibleSize.area().unsafeGet() * sizingFullPageAreaRatioThreshold;
}
void HTMLPlugInImageElement::checkSnapshotStatus()
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/html/ImageData.cpp (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/html/ImageData.cpp 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/html/ImageData.cpp 2016-12-28 10:28:40 UTC (rev 210193)
@@ -113,7 +113,7 @@
ImageData::ImageData(const IntSize& size)
: m_size(size)
- , m_data(Uint8ClampedArray::createUninitialized(size.width() * size.height() * 4))
+ , m_data(Uint8ClampedArray::createUninitialized((size.area() * 4).unsafeGet()))
{
ASSERT_WITH_SECURITY_IMPLICATION(m_data);
}
@@ -122,7 +122,8 @@
: m_size(size)
, m_data(WTFMove(byteArray))
{
- ASSERT_WITH_SECURITY_IMPLICATION(static_cast<unsigned>(size.width() * size.height() * 4) <= m_data->length());
+ ASSERT(m_data);
+ ASSERT_WITH_SECURITY_IMPLICATION(!m_data || (size.area() * 4).unsafeGet() <= m_data->length());
}
}
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/BitmapImage.cpp (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/BitmapImage.cpp 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/BitmapImage.cpp 2016-12-28 10:28:40 UTC (rev 210193)
@@ -71,7 +71,7 @@
// Since we don't have a decoder, we can't figure out the image orientation.
// Set m_sizeRespectingOrientation to be the same as m_size so it's not 0x0.
m_sizeRespectingOrientation = m_size = NativeImage::size(image);
- m_decodedSize = m_size.area() * 4;
+ m_decodedSize = (m_size.area() * 4).unsafeGet();
m_frames.grow(1);
m_frames[0].m_hasAlpha = NativeImage::hasAlpha(image);
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ImageSource.cpp (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ImageSource.cpp 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ImageSource.cpp 2016-12-28 10:28:40 UTC (rev 210193)
@@ -103,7 +103,7 @@
const SubsamplingLevel maxSubsamplingLevel = 3;
for (SubsamplingLevel level = 0; level < maxSubsamplingLevel; ++level) {
- if (frameSizeAtIndex(0, level).area() < maximumImageAreaBeforeSubsampling)
+ if (frameSizeAtIndex(0, level).area().unsafeGet() < maximumImageAreaBeforeSubsampling)
return level;
}
@@ -206,7 +206,7 @@
unsigned ImageSource::frameBytesAtIndex(size_t index, SubsamplingLevel subsamplingLevel) const
{
- return frameSizeAtIndex(index, subsamplingLevel).area() * 4;
+ return (frameSizeAtIndex(index, subsamplingLevel).area() * 4).unsafeGet();
}
float ImageSource::frameDurationAtIndex(size_t index)
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntRect.h (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntRect.h 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntRect.h 2016-12-28 10:28:40 UTC (rev 210193)
@@ -85,9 +85,10 @@
int maxY() const { return y() + height(); }
int width() const { return m_size.width(); }
int height() const { return m_size.height(); }
-
- unsigned area() const { return m_size.area(); }
+ template <typename T = WTF::CrashOnOverflow>
+ Checked<unsigned, T> area() const { return m_size.area<T>(); }
+
void setX(int x) { m_location.setX(x); }
void setY(int y) { m_location.setY(y); }
void setWidth(int width) { m_size.setWidth(width); }
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntSize.h (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntSize.h 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/IntSize.h 2016-12-28 10:28:40 UTC (rev 210193)
@@ -125,9 +125,10 @@
IntSize constrainedBetween(const IntSize& min, const IntSize& max) const;
- unsigned area() const
+ template <typename T = WTF::CrashOnOverflow>
+ Checked<unsigned, T> area() const
{
- return abs(m_width) * abs(m_height);
+ return Checked<unsigned, T>(abs(m_width)) * abs(m_height);
}
int diagonalLengthSquared() const
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ca/LayerPool.cpp (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ca/LayerPool.cpp 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/ca/LayerPool.cpp 2016-12-28 10:28:40 UTC (rev 210193)
@@ -56,7 +56,7 @@
unsigned LayerPool::backingStoreBytesForSize(const IntSize& size)
{
- return size.width() * size.height() * 4;
+ return (size.area() * 4).unsafeGet();
}
LayerPool::LayerList& LayerPool::listOfLayersWithSize(const IntSize& size, AccessType accessType)
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp 2016-12-28 10:28:40 UTC (rev 210193)
@@ -335,7 +335,7 @@
unsigned ImageDecoder::frameBytesAtIndex(size_t index, SubsamplingLevel subsamplingLevel) const
{
IntSize frameSize = frameSizeAtIndex(index, subsamplingLevel);
- return frameSize.area() * 4;
+ return (frameSize.area() * 4).unsafeGet();
}
NativeImagePtr ImageDecoder::createFrameImageAtIndex(size_t index, SubsamplingLevel subsamplingLevel) const
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp 2016-12-28 10:28:40 UTC (rev 210193)
@@ -539,7 +539,7 @@
IntSize paintSize = absolutePaintRect().size();
paintSize.scale(filter().filterScale());
- RefPtr<Uint8ClampedArray> tmpImageData = Uint8ClampedArray::createUninitialized(paintSize.width() * paintSize.height() * 4);
+ RefPtr<Uint8ClampedArray> tmpImageData = Uint8ClampedArray::createUninitialized((paintSize.area() * 4).unsafeGet());
if (!tmpImageData) {
WTFLogAlways("FEGaussianBlur::platformApplySoftware Unable to create buffer. Requested size was %d x %d\n", paintSize.width(), paintSize.height());
return;
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FilterEffect.cpp (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FilterEffect.cpp 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/graphics/filters/FilterEffect.cpp 2016-12-28 10:28:40 UTC (rev 210193)
@@ -237,7 +237,7 @@
IntSize scaledSize(rect.size());
ASSERT(!ImageBuffer::sizeNeedsClamping(scaledSize));
scaledSize.scale(m_filter.filterScale());
- auto imageData = Uint8ClampedArray::createUninitialized(scaledSize.width() * scaledSize.height() * 4);
+ auto imageData = Uint8ClampedArray::createUninitialized((scaledSize.area() * 4).unsafeGet());
copyUnmultipliedImage(imageData.get(), rect);
return WTFMove(imageData);
}
@@ -247,7 +247,7 @@
IntSize scaledSize(rect.size());
ASSERT(!ImageBuffer::sizeNeedsClamping(scaledSize));
scaledSize.scale(m_filter.filterScale());
- auto imageData = Uint8ClampedArray::createUninitialized(scaledSize.width() * scaledSize.height() * 4);
+ auto imageData = Uint8ClampedArray::createUninitialized((scaledSize.area() * 4).unsafeGet());
copyPremultipliedImage(imageData.get(), rect);
return WTFMove(imageData);
}
@@ -316,7 +316,7 @@
IntSize inputSize(m_absolutePaintRect.size());
ASSERT(!ImageBuffer::sizeNeedsClamping(inputSize));
inputSize.scale(m_filter.filterScale());
- m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized(inputSize.width() * inputSize.height() * 4);
+ m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized((inputSize.area() * 4).unsafeGet());
if (!m_unmultipliedImageResult) {
WTFLogAlways("FilterEffect::copyUnmultipliedImage Unable to create buffer. Requested size was %d x %d\n", inputSize.width(), inputSize.height());
return;
@@ -323,7 +323,7 @@
}
unsigned char* sourceComponent = m_premultipliedImageResult->data();
unsigned char* destinationComponent = m_unmultipliedImageResult->data();
- unsigned char* end = sourceComponent + (inputSize.width() * inputSize.height() * 4);
+ unsigned char* end = sourceComponent + (inputSize.area() * 4).unsafeGet();
while (sourceComponent < end) {
int alpha = sourceComponent[3];
if (alpha) {
@@ -356,7 +356,7 @@
IntSize inputSize(m_absolutePaintRect.size());
ASSERT(!ImageBuffer::sizeNeedsClamping(inputSize));
inputSize.scale(m_filter.filterScale());
- m_premultipliedImageResult = Uint8ClampedArray::createUninitialized(inputSize.width() * inputSize.height() * 4);
+ m_premultipliedImageResult = Uint8ClampedArray::createUninitialized((inputSize.area() * 4).unsafeGet());
if (!m_premultipliedImageResult) {
WTFLogAlways("FilterEffect::copyPremultipliedImage Unable to create buffer. Requested size was %d x %d\n", inputSize.width(), inputSize.height());
return;
@@ -363,7 +363,7 @@
}
unsigned char* sourceComponent = m_unmultipliedImageResult->data();
unsigned char* destinationComponent = m_premultipliedImageResult->data();
- unsigned char* end = sourceComponent + (inputSize.width() * inputSize.height() * 4);
+ unsigned char* end = sourceComponent + (inputSize.area() * 4).unsafeGet();
while (sourceComponent < end) {
int alpha = sourceComponent[3];
destinationComponent[0] = static_cast<int>(sourceComponent[0]) * alpha / 255;
@@ -403,7 +403,7 @@
IntSize resultSize(m_absolutePaintRect.size());
ASSERT(!ImageBuffer::sizeNeedsClamping(resultSize));
resultSize.scale(m_filter.filterScale());
- m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized(resultSize.width() * resultSize.height() * 4);
+ m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized((resultSize.area() * 4).unsafeGet());
return m_unmultipliedImageResult.get();
}
@@ -417,7 +417,7 @@
IntSize resultSize(m_absolutePaintRect.size());
ASSERT(!ImageBuffer::sizeNeedsClamping(resultSize));
resultSize.scale(m_filter.filterScale());
- m_premultipliedImageResult = Uint8ClampedArray::createUninitialized(resultSize.width() * resultSize.height() * 4);
+ m_premultipliedImageResult = Uint8ClampedArray::createUninitialized((resultSize.area() * 4).unsafeGet());
return m_premultipliedImageResult.get();
}
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/image-decoders/ImageDecoder.cpp (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/image-decoders/ImageDecoder.cpp 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/image-decoders/ImageDecoder.cpp 2016-12-28 10:28:40 UTC (rev 210193)
@@ -291,7 +291,7 @@
if (m_frameBufferCache.size() <= index)
return 0;
// FIXME: Use the dimension of the requested frame.
- return m_size.area() * sizeof(ImageFrame::PixelData);
+ return (m_size.area() * sizeof(ImageFrame::PixelData)).unsafeGet();
}
float ImageDecoder::frameDurationAtIndex(size_t index)
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/ios/LegacyTileLayerPool.mm (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/ios/LegacyTileLayerPool.mm 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/platform/ios/LegacyTileLayerPool.mm 2016-12-28 10:28:40 UTC (rev 210193)
@@ -55,7 +55,7 @@
unsigned LegacyTileLayerPool::bytesBackingLayerWithPixelSize(const IntSize& size)
{
- return size.width() * size.height() * 4;
+ return (size.area() * 4).unsafeGet();
}
LegacyTileLayerPool::LayerList& LegacyTileLayerPool::listOfLayersWithSize(const IntSize& size, AccessType accessType)
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderLayerCompositor.cpp (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderLayerCompositor.cpp 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderLayerCompositor.cpp 2016-12-28 10:28:40 UTC (rev 210193)
@@ -2544,7 +2544,7 @@
bool isCanvasLargeEnoughToForceCompositing = true;
#else
HTMLCanvasElement* canvas = downcast<HTMLCanvasElement>(renderer.element());
- bool isCanvasLargeEnoughToForceCompositing = canvas->size().area() >= canvasAreaThresholdRequiringCompositing;
+ bool isCanvasLargeEnoughToForceCompositing = canvas->size().area().unsafeGet() >= canvasAreaThresholdRequiringCompositing;
#endif
CanvasCompositingStrategy compositingStrategy = canvasCompositingStrategy(renderer);
return compositingStrategy == CanvasAsLayerContents || (compositingStrategy == CanvasPaintedToLayer && isCanvasLargeEnoughToForceCompositing);
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/shapes/Shape.cpp (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/shapes/Shape.cpp 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/shapes/Shape.cpp 2016-12-28 10:28:40 UTC (rev 210193)
@@ -196,7 +196,7 @@
int minBufferY = std::max(0, marginRect.y() - imageRect.y());
int maxBufferY = std::min(imageRect.height(), marginRect.maxY() - imageRect.y());
- if (static_cast<unsigned>(imageRect.width() * imageRect.height() * 4) == pixelArrayLength) {
+ if ((imageRect.area() * 4).unsafeGet() == pixelArrayLength) {
for (int y = minBufferY; y < maxBufferY; ++y) {
int startX = -1;
for (int x = 0; x < imageRect.width(); ++x, pixelArrayOffset += 4) {
Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/ChangeLog 2016-12-28 10:28:40 UTC (rev 210193)
@@ -1,3 +1,25 @@
+2016-10-21 David Kilzer <[email protected]>
+
+ Bug 163762: IntSize::area() should used checked arithmetic
+ <https://webkit.org/b/163762>
+
+ Reviewed by Darin Adler.
+
+ * Shared/ShareableBitmap.cpp:
+ (WebKit::ShareableBitmap::create): Add overflow check and return
+ nullptr on overflow.
+ (WebKit::ShareableBitmap::createShareable): Ditto.
+ (WebKit::ShareableBitmap::create): Change debug assert for
+ adequate buffer size check into release check.
+ * Shared/ShareableBitmap.h:
+ (WebKit::ShareableBitmap::numBytesForSize): Change to return a
+ Checked<unsigned, RecordOverflow> value.
+ (WebKit::ShareableBitmap::sizeInBytes):
+ * Shared/cairo/ShareableBitmapCairo.cpp:
+ (WebKit::ShareableBitmap::numBytesForSize): Ditto.
+ * UIProcess/API/Cocoa/WKWebView.mm:
+ (-[WKWebView _takeViewSnapshot]): Call unsafeGet().
+
2016-10-05 Daniel Bates <[email protected]>
Do not follow redirects when sending violation report
Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.cpp (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.cpp 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.cpp 2016-12-28 10:28:40 UTC (rev 210193)
@@ -66,10 +66,12 @@
RefPtr<ShareableBitmap> ShareableBitmap::create(const IntSize& size, Flags flags)
{
- size_t numBytes = numBytesForSize(size);
-
+ auto numBytes = numBytesForSize(size);
+ if (numBytes.hasOverflowed())
+ return nullptr;
+
void* data = ""
- if (!tryFastMalloc(numBytes).getValue(data))
+ if (!tryFastMalloc(numBytes.unsafeGet()).getValue(data))
return nullptr;
return adoptRef(new ShareableBitmap(size, flags, data));
@@ -77,9 +79,11 @@
RefPtr<ShareableBitmap> ShareableBitmap::createShareable(const IntSize& size, Flags flags)
{
- size_t numBytes = numBytesForSize(size);
+ auto numBytes = numBytesForSize(size);
+ if (numBytes.hasOverflowed())
+ return nullptr;
- RefPtr<SharedMemory> sharedMemory = SharedMemory::allocate(numBytes);
+ RefPtr<SharedMemory> sharedMemory = SharedMemory::allocate(numBytes.unsafeGet());
if (!sharedMemory)
return nullptr;
@@ -90,9 +94,14 @@
{
ASSERT(sharedMemory);
- size_t numBytes = numBytesForSize(size);
- ASSERT_UNUSED(numBytes, sharedMemory->size() >= numBytes);
-
+ auto numBytes = numBytesForSize(size);
+ if (numBytes.hasOverflowed())
+ return nullptr;
+ if (sharedMemory->size() < numBytes.unsafeGet()) {
+ ASSERT_NOT_REACHED();
+ return nullptr;
+ }
+
return adoptRef(new ShareableBitmap(size, flags, sharedMemory));
}
Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.h (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.h 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/ShareableBitmap.h 2016-12-28 10:28:40 UTC (rev 210193)
@@ -125,9 +125,9 @@
ShareableBitmap(const WebCore::IntSize&, Flags, RefPtr<SharedMemory>);
#if USE(CAIRO)
- static size_t numBytesForSize(const WebCore::IntSize&);
+ static Checked<unsigned, RecordOverflow> numBytesForSize(const WebCore::IntSize&);
#else
- static size_t numBytesForSize(const WebCore::IntSize& size) { return size.width() * size.height() * 4; }
+ static Checked<unsigned, RecordOverflow> numBytesForSize(const WebCore::IntSize& size) { return size.area<RecordOverflow>() * 4; }
#endif
#if USE(CG)
@@ -141,7 +141,7 @@
#endif
void* data() const;
- size_t sizeInBytes() const { return numBytesForSize(m_size); }
+ size_t sizeInBytes() const { return numBytesForSize(m_size).unsafeGet(); }
WebCore::IntSize m_size;
Flags m_flags;
Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp 2016-12-28 10:28:40 UTC (rev 210193)
@@ -40,9 +40,9 @@
static const cairo_format_t cairoFormat = CAIRO_FORMAT_ARGB32;
-size_t ShareableBitmap::numBytesForSize(const WebCore::IntSize& size)
+Checked<unsigned, RecordOverflow> ShareableBitmap::numBytesForSize(const WebCore::IntSize& size)
{
- return cairo_format_stride_for_width(cairoFormat, size.width()) * size.height();
+ return Checked<unsigned, RecordOverflow>(cairo_format_stride_for_width(cairoFormat, size.width())) * size.height();
}
static inline RefPtr<cairo_surface_t> createSurfaceFromData(void* data, const WebCore::IntSize& size)
Modified: releases/WebKitGTK/webkit-2.14/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm (210192 => 210193)
--- releases/WebKitGTK/webkit-2.14/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm 2016-12-28 09:59:45 UTC (rev 210192)
+++ releases/WebKitGTK/webkit-2.14/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm 2016-12-28 10:28:40 UTC (rev 210193)
@@ -1413,7 +1413,7 @@
CARenderServerCaptureLayerWithTransform(MACH_PORT_NULL, self.layer.context.contextId, (uint64_t)self.layer, slotID, 0, 0, &transform);
WebCore::IntSize imageSize = WebCore::expandedIntSize(WebCore::FloatSize(snapshotSize));
- return WebKit::ViewSnapshot::create(slotID, imageSize, imageSize.width() * imageSize.height() * 4);
+ return WebKit::ViewSnapshot::create(slotID, imageSize, (imageSize.area() * 4).unsafeGet());
#endif
}
