Title: [259024] trunk
- Revision
- 259024
- Author
- commit-qu...@webkit.org
- Date
- 2020-03-25 17:28:36 -0700 (Wed, 25 Mar 2020)
Log Message
CanvasRenderingContext2D.putImageData() should not process neutered ImageData
https://bugs.webkit.org/show_bug.cgi?id=208303
Patch by Pinki Gyanchandani <pgyanchand...@apple.com> on 2020-03-25
Reviewed by Said Abou-Hallawa.
Source/WebCore:
Test: fast/canvas/canvas-putImageData-neutered-ImageData.html
The crash happens when putImageData is called on a neutered ImageData object.
Added a check to exit from CanvasRenderingContext2D.putImageData() function when ImageData object is neutered.
* html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::putImageData):
LayoutTests:
Added slightly modified version of testcase from bugzilla.
This testcase checks that a neutered ImageData object is not considered to be put onto the canvas.
* fast/canvas/canvas-putImageData-neutered-ImageData-expected.txt: Added.
* fast/canvas/canvas-putImageData-neutered-ImageData.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (259023 => 259024)
--- trunk/LayoutTests/ChangeLog 2020-03-25 23:52:24 UTC (rev 259023)
+++ trunk/LayoutTests/ChangeLog 2020-03-26 00:28:36 UTC (rev 259024)
@@ -1,3 +1,16 @@
+2020-03-25 Pinki Gyanchandani <pgyanchand...@apple.com>
+
+ CanvasRenderingContext2D.putImageData() should not process neutered ImageData
+ https://bugs.webkit.org/show_bug.cgi?id=208303
+
+ Reviewed by Said Abou-Hallawa.
+
+ Added slightly modified version of testcase from bugzilla.
+ This testcase checks that a neutered ImageData object is not considered to be put onto the canvas.
+
+ * fast/canvas/canvas-putImageData-neutered-ImageData-expected.txt: Added.
+ * fast/canvas/canvas-putImageData-neutered-ImageData.html: Added.
+
2020-03-25 Simon Fraser <simon.fra...@apple.com>
Flashing and partly visible elements
Added: trunk/LayoutTests/fast/canvas/canvas-putImageData-neutered-ImageData-expected.txt (0 => 259024)
--- trunk/LayoutTests/fast/canvas/canvas-putImageData-neutered-ImageData-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/canvas/canvas-putImageData-neutered-ImageData-expected.txt 2020-03-26 00:28:36 UTC (rev 259024)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+
Added: trunk/LayoutTests/fast/canvas/canvas-putImageData-neutered-ImageData.html (0 => 259024)
--- trunk/LayoutTests/fast/canvas/canvas-putImageData-neutered-ImageData.html (rev 0)
+++ trunk/LayoutTests/fast/canvas/canvas-putImageData-neutered-ImageData.html 2020-03-26 00:28:36 UTC (rev 259024)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<script>
+
+function canvasTest() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ var worker = new Worker('non-existent-file');
+ var imageWidth = 1;
+ var imageHeight = 1;
+ var image = new ImageData( imageWidth, imageHeight);
+ var context = document.getElementById("canvas").getContext("2d");
+ worker.postMessage({data: image.data.buffer}, [image.data.buffer]);
+ context.putImageData(image, 0, 0);
+}
+</script>
+
+<body _onload_=canvasTest()>
+<div>Test passes if it does not crash.</div>
+<canvas id=canvas></canvas>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (259023 => 259024)
--- trunk/Source/WebCore/ChangeLog 2020-03-25 23:52:24 UTC (rev 259023)
+++ trunk/Source/WebCore/ChangeLog 2020-03-26 00:28:36 UTC (rev 259024)
@@ -1,3 +1,18 @@
+2020-03-25 Pinki Gyanchandani <pgyanchand...@apple.com>
+
+ CanvasRenderingContext2D.putImageData() should not process neutered ImageData
+ https://bugs.webkit.org/show_bug.cgi?id=208303
+
+ Reviewed by Said Abou-Hallawa.
+
+ Test: fast/canvas/canvas-putImageData-neutered-ImageData.html
+
+ The crash happens when putImageData is called on a neutered ImageData object.
+ Added a check to exit from CanvasRenderingContext2D.putImageData() function when ImageData object is neutered.
+
+ * html/canvas/CanvasRenderingContext2DBase.cpp:
+ (WebCore::CanvasRenderingContext2DBase::putImageData):
+
2020-03-25 Chris Dumez <cdu...@apple.com>
Use JSC::EnsureStillAliveScope RAII object in the generated bindings code
Modified: trunk/Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp (259023 => 259024)
--- trunk/Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp 2020-03-25 23:52:24 UTC (rev 259023)
+++ trunk/Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp 2020-03-26 00:28:36 UTC (rev 259024)
@@ -2159,7 +2159,7 @@
if (!buffer)
return;
- if (!data.data())
+ if (!data.data() || data.data()->isNeutered())
return;
if (dirtyWidth < 0) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes