Read out of bounds in sUnpremultiplyData_RGBA8888 / ImageBufferData::getData
authormdelaney@apple.com <mdelaney@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 2 Sep 2011 22:32:44 +0000 (22:32 +0000)
committermdelaney@apple.com <mdelaney@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 2 Sep 2011 22:32:44 +0000 (22:32 +0000)
commitc29a0c7bc210290c6ecdb1ec07e1848b10491527
tree756f74a3e54a000eec57e416b1d70632c870043d
parente5a1d4b10f26d45b5f021944881c7f2b9f2045a7
Read out of bounds in sUnpremultiplyData_RGBA8888 / ImageBufferData::getData
https://bugs.webkit.org/show_bug.cgi?id=65352

Reviewed by Simon Fraser.

New test: fast/canvas/canvas-getImageData-large-crash.html

Source/JavaScriptCore:

This patch prevents overflows from happening in getImageData, createImageData, and canvas creation
calls that specify widths and heights that end up overflowing the ints that we store those values in
as well as derived values such as area and maxX / maxY of the bounding rects involved. Overflow of integer
arithmetic is detected via the use of the new Checked type that was introduced in r94207. The change to JSC
is just to add a new helper method described below.

* wtf/MathExtras.h:
(isWithinIntRange): Reports if a float's value is within the range expressible by an int.

Source/WebCore:

This patch prevents overflows from happening in getImageData, createImageData, and canvas creation
calls that specify widths and heights that end up overflowing the ints that we store those values in
as well as derived values such as area and maxX / maxY of the bounding rects involved. Overflow of integer
arithmetic is detected via the use of the new Checked type that was introduced in r94207.

* html/HTMLCanvasElement.cpp:
(WebCore::HTMLCanvasElement::convertLogicalToDevice): Removed dependency on ints, using FloatRects/Sizes instead.
(WebCore::HTMLCanvasElement::createImageBuffer): Moved the check for max canvas area and dimensions here.
  Added in check that prevents us from having canvases of sizes that will cause overflows.
(WebCore::HTMLCanvasElement::baseTransform): Updated use of convertLogicalToDevice.
* html/HTMLCanvasElement.h: Updated method signatures.
* html/canvas/CanvasRenderingContext2D.cpp:
(WebCore::createEmptyImageData): Added in check to prevent creating ImageData objects that will cause overflow when computing their size.
(WebCore::CanvasRenderingContext2D::createImageData): Avoid creating ImageData objects of size that will overflow later.
(WebCore::CanvasRenderingContext2D::getImageData): Added in check to prevent trying to get ImageData objects that will cause overflow when computing their size.
* platform/graphics/FloatRect.cpp:
(WebCore::FloatRect::isExpressibleAsIntRect): New method that tests whether a FloatRect can become an IntRect without overflow or having to be clamped.
* platform/graphics/FloatRect.h:
* platform/graphics/FloatSize.cpp:
(WebCore::FloatSize::isExpressibleAsIntSize): Same as FloatRect, but for FloatSize->IntSize.
* platform/graphics/FloatSize.h:
* platform/graphics/cg/ImageBufferCG.cpp: Added check for overflow.
(WebCore::ImageBuffer::ImageBuffer):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@94457 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
LayoutTests/fast/canvas/canvas-getImageData-large-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/canvas/canvas-getImageData-large-crash.html [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/wtf/MathExtras.h
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLCanvasElement.cpp
Source/WebCore/html/HTMLCanvasElement.h
Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp
Source/WebCore/platform/graphics/FloatRect.cpp
Source/WebCore/platform/graphics/FloatRect.h
Source/WebCore/platform/graphics/FloatSize.cpp
Source/WebCore/platform/graphics/FloatSize.h
Source/WebCore/platform/graphics/cg/ImageBufferCG.cpp
Source/WebCore/platform/graphics/cg/ImageBufferDataCG.h