[webkit-changes] [259024] trunk

Wed, 25 Mar 2020 17:30:16 -0700

Title: [259024] trunk
Revision
259024
Author
commit-qu...@webkit.org
Date
2020-03-25 17:28:36 -0700 (Wed, 25 Mar 2020)

Log Message

CanvasRenderingContext2D.putImageData() should not process neutered ImageData
https://bugs.webkit.org/show_bug.cgi?id=208303

Patch by Pinki Gyanchandani <pgyanchand...@apple.com> on 2020-03-25
Reviewed by Said Abou-Hallawa.

Source/WebCore:

Test: fast/canvas/canvas-putImageData-neutered-ImageData.html

The crash happens when putImageData is called on a neutered ImageData object.
Added a check to exit from CanvasRenderingContext2D.putImageData() function when ImageData object is neutered.

* html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::putImageData):

LayoutTests:

Added slightly modified version of testcase from bugzilla.
This testcase checks that a neutered ImageData object is not considered to be put onto the canvas.

* fast/canvas/canvas-putImageData-neutered-ImageData-expected.txt: Added.
* fast/canvas/canvas-putImageData-neutered-ImageData.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (259023 => 259024)


--- trunk/LayoutTests/ChangeLog	2020-03-25 23:52:24 UTC (rev 259023)
+++ trunk/LayoutTests/ChangeLog	2020-03-26 00:28:36 UTC (rev 259024)
@@ -1,3 +1,16 @@
+2020-03-25  Pinki Gyanchandani  <pgyanchand...@apple.com>
+
+        CanvasRenderingContext2D.putImageData() should not process neutered ImageData
+        https://bugs.webkit.org/show_bug.cgi?id=208303
+
+        Reviewed by Said Abou-Hallawa.
+
+        Added slightly modified version of testcase from bugzilla.
+        This testcase checks that a neutered ImageData object is not considered to be put onto the canvas.
+
+        * fast/canvas/canvas-putImageData-neutered-ImageData-expected.txt: Added.
+        * fast/canvas/canvas-putImageData-neutered-ImageData.html: Added.
+
 2020-03-25  Simon Fraser  <simon.fra...@apple.com>
 
         Flashing and partly visible elements

Added: trunk/LayoutTests/fast/canvas/canvas-putImageData-neutered-ImageData-expected.txt (0 => 259024)


--- trunk/LayoutTests/fast/canvas/canvas-putImageData-neutered-ImageData-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/canvas-putImageData-neutered-ImageData-expected.txt	2020-03-26 00:28:36 UTC (rev 259024)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+

Added: trunk/LayoutTests/fast/canvas/canvas-putImageData-neutered-ImageData.html (0 => 259024)


--- trunk/LayoutTests/fast/canvas/canvas-putImageData-neutered-ImageData.html	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/canvas-putImageData-neutered-ImageData.html	2020-03-26 00:28:36 UTC (rev 259024)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<script>
+
+function canvasTest() {
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    var worker = new Worker('non-existent-file');
+    var imageWidth = 1;
+    var imageHeight = 1;
+    var image = new ImageData( imageWidth, imageHeight);
+    var context = document.getElementById("canvas").getContext("2d");
+    worker.postMessage({data: image.data.buffer}, [image.data.buffer]);
+    context.putImageData(image, 0, 0);
+}
+</script>
+
+<body _onload_=canvasTest()>
+<div>Test passes if it does not crash.</div>
+<canvas id=canvas></canvas>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (259023 => 259024)


--- trunk/Source/WebCore/ChangeLog	2020-03-25 23:52:24 UTC (rev 259023)
+++ trunk/Source/WebCore/ChangeLog	2020-03-26 00:28:36 UTC (rev 259024)
@@ -1,3 +1,18 @@
+2020-03-25  Pinki Gyanchandani  <pgyanchand...@apple.com>
+
+        CanvasRenderingContext2D.putImageData() should not process neutered ImageData
+        https://bugs.webkit.org/show_bug.cgi?id=208303
+
+        Reviewed by Said Abou-Hallawa.
+
+        Test: fast/canvas/canvas-putImageData-neutered-ImageData.html
+
+        The crash happens when putImageData is called on a neutered ImageData object. 
+        Added a check to exit from CanvasRenderingContext2D.putImageData() function when ImageData object is neutered.
+
+        * html/canvas/CanvasRenderingContext2DBase.cpp:
+        (WebCore::CanvasRenderingContext2DBase::putImageData):
+
 2020-03-25  Chris Dumez  <cdu...@apple.com>
 
         Use JSC::EnsureStillAliveScope RAII object in the generated bindings code

Modified: trunk/Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp (259023 => 259024)


--- trunk/Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp	2020-03-25 23:52:24 UTC (rev 259023)
+++ trunk/Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp	2020-03-26 00:28:36 UTC (rev 259024)
@@ -2159,7 +2159,7 @@
     if (!buffer)
         return;
 
-    if (!data.data())
+    if (!data.data() || data.data()->isNeutered())
         return;
 
     if (dirtyWidth < 0) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to