Diff
Modified: trunk/LayoutTests/ChangeLog (272844 => 272845)
--- trunk/LayoutTests/ChangeLog 2021-02-15 10:23:23 UTC (rev 272844)
+++ trunk/LayoutTests/ChangeLog 2021-02-15 10:38:30 UTC (rev 272845)
@@ -1,3 +1,14 @@
+2021-02-15 Frederic Wang <fw...@igalia.com>
+
+ Crash in RetainPtr<CGImage*>::RetainPtr via ImageBufferCGBackend::toCFData
+ https://bugs.webkit.org/show_bug.cgi?id=221376
+
+ Reviewed by Said Abou-Hallawa.
+
+ * fast/canvas/resize-to-large-canvas-and-convert-to-blog-expected.txt: Added.
+ * fast/canvas/resize-to-large-canvas-and-convert-to-blog-expected.txt: Added.
+ * fast/canvas/resize-to-large-canvas-and-convert-to-blog.html: Added.
+
2021-02-14 Peng Liu <peng.l...@apple.com>
[GPUP] Move UseGPUProcessForMediaEnabled from WebPreferencesInternal to WebPreferencesExperimental
Added: trunk/LayoutTests/fast/canvas/resize-to-large-canvas-and-convert-to-blog-expected.txt (0 => 272845)
--- trunk/LayoutTests/fast/canvas/resize-to-large-canvas-and-convert-to-blog-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/canvas/resize-to-large-canvas-and-convert-to-blog-expected.txt 2021-02-15 10:38:30 UTC (rev 272845)
@@ -0,0 +1,3 @@
+This test passes if it doesn't crash.
+
+
Added: trunk/LayoutTests/fast/canvas/resize-to-large-canvas-and-convert-to-blog.html (0 => 272845)
--- trunk/LayoutTests/fast/canvas/resize-to-large-canvas-and-convert-to-blog.html (rev 0)
+++ trunk/LayoutTests/fast/canvas/resize-to-large-canvas-and-convert-to-blog.html 2021-02-15 10:38:30 UTC (rev 272845)
@@ -0,0 +1,9 @@
+<!doctype>
+<p>This test passes if it doesn't crash.</p>
+<canvas id="canvas" height="1">
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ canvas.width = 67566398;
+ canvas.toBlob(() => {})
+</script>
Added: trunk/LayoutTests/platform/ios/fast/canvas/resize-to-large-canvas-and-convert-to-blog-expected.txt (0 => 272845)
--- trunk/LayoutTests/platform/ios/fast/canvas/resize-to-large-canvas-and-convert-to-blog-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/ios/fast/canvas/resize-to-large-canvas-and-convert-to-blog-expected.txt 2021-02-15 10:38:30 UTC (rev 272845)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Canvas area exceeds the maximum limit (width * height > 16777216).
+This test passes if it doesn't crash.
+
+
Modified: trunk/Source/WebCore/ChangeLog (272844 => 272845)
--- trunk/Source/WebCore/ChangeLog 2021-02-15 10:23:23 UTC (rev 272844)
+++ trunk/Source/WebCore/ChangeLog 2021-02-15 10:38:30 UTC (rev 272845)
@@ -1,3 +1,19 @@
+2021-02-15 Frederic Wang <fw...@igalia.com>
+
+ Crash in RetainPtr<CGImage*>::RetainPtr via ImageBufferCGBackend::toCFData
+ https://bugs.webkit.org/show_bug.cgi?id=221376
+
+ Reviewed by Said Abou-Hallawa.
+
+ Call to copyNativeImage(CopyBackingStore) may return a null pointer if CGBitmapContextCreateImage
+ does. This patch fixes a crash due to null pointer dereference and adds a similar check for
+ copyNativeImage(DontCopyBackingStore).
+
+ Test: fast/canvas/resize-to-large-canvas-and-convert-to-blog.html
+
+ * platform/graphics/cg/ImageBufferCGBackend.cpp:
+ (WebCore::ImageBufferCGBackend::toCFData const):
+
2021-02-15 Manuel Rego Casasnovas <r...@igalia.com>
[selectors] Update :focus-visible status in features.json
Modified: trunk/Source/WebCore/platform/graphics/cg/ImageBufferCGBackend.cpp (272844 => 272845)
--- trunk/Source/WebCore/platform/graphics/cg/ImageBufferCGBackend.cpp 2021-02-15 10:23:23 UTC (rev 272844)
+++ trunk/Source/WebCore/platform/graphics/cg/ImageBufferCGBackend.cpp 2021-02-15 10:38:30 UTC (rev 272845)
@@ -191,10 +191,16 @@
image = adoptCF(CGImageCreate(pixelArrayDimensions.width(), pixelArrayDimensions.height(), 8, 32, 4 * pixelArrayDimensions.width(), sRGBColorSpaceRef(), kCGBitmapByteOrderDefault | kCGImageAlphaNoneSkipLast, dataProvider.get(), 0, false, kCGRenderingIntentDefault));
} else if (resolutionScale() == 1 || preserveResolution == PreserveResolution::Yes) {
- image = copyNativeImage(CopyBackingStore)->platformImage();
+ auto nativeImage = copyNativeImage(CopyBackingStore);
+ if (!nativeImage)
+ return nullptr;
+ image = nativeImage->platformImage();
image = createCroppedImageIfNecessary(image.get(), backendSize());
} else {
- image = copyNativeImage(DontCopyBackingStore)->platformImage();
+ auto nativeImage = copyNativeImage(DontCopyBackingStore);
+ if (!nativeImage)
+ return nullptr;
+ image = nativeImage->platformImage();
auto context = adoptCF(CGBitmapContextCreate(0, backendSize().width(), backendSize().height(), 8, 4 * backendSize().width(), sRGBColorSpaceRef(), kCGImageAlphaPremultipliedFirst | kCGBitmapByteOrder32Host));
CGContextSetBlendMode(context.get(), kCGBlendModeCopy);
CGContextClipToRect(context.get(), CGRectMake(0, 0, backendSize().width(), backendSize().height()));
