Too large plugins are crashing.
authorrgabor@webkit.org <rgabor@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 30 Dec 2014 18:40:20 +0000 (18:40 +0000)
committerrgabor@webkit.org <rgabor@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 30 Dec 2014 18:40:20 +0000 (18:40 +0000)
https://bugs.webkit.org/show_bug.cgi?id=139856

Reviewed by Darin Adler.

Source/WebKit2:

* WebProcess/Plugins/PluginProxy.cpp:
(WebKit::PluginProxy::updateBackingStore): Return false if backingStore cannot be allocated.

LayoutTests:

Add layout test to cover this crash.

* plugins/large-plugin-crash-expected.txt: Added.
* plugins/large-plugin-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@177824 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/plugins/large-plugin-crash-expected.txt [new file with mode: 0644]
LayoutTests/plugins/large-plugin-crash.html [new file with mode: 0644]
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/Plugins/PluginProxy.cpp

index 734938c..c26dfb2 100644 (file)
@@ -1,3 +1,15 @@
+2014-12-30  Gabor Rapcsanyi  <rgabor@webkit.org>
+
+        Too large plugins are crashing.
+        https://bugs.webkit.org/show_bug.cgi?id=139856
+
+        Reviewed by Darin Adler.
+
+        Add layout test to cover this crash.
+
+        * plugins/large-plugin-crash-expected.txt: Added.
+        * plugins/large-plugin-crash.html: Added.
+
 2014-12-29  Sebastian Dröge  <sebastian@centricular.com>
 
         Enable MediaSource tests for the GTK port
diff --git a/LayoutTests/plugins/large-plugin-crash-expected.txt b/LayoutTests/plugins/large-plugin-crash-expected.txt
new file mode 100644 (file)
index 0000000..49323b9
--- /dev/null
@@ -0,0 +1,5 @@
+Bug 139856: Large plugin crash.
+
+This test PASSES if it does not CRASH.
+
+
diff --git a/LayoutTests/plugins/large-plugin-crash.html b/LayoutTests/plugins/large-plugin-crash.html
new file mode 100644 (file)
index 0000000..bbf6d0a
--- /dev/null
@@ -0,0 +1,15 @@
+<html>
+    <body>
+        <p>Bug <a href="https://bugs.webkit.org/show_bug.cgi?id=139856">139856</a>: Large plugin crash.</p>
+        <p>This test PASSES if it does not CRASH.</p>
+
+        <embed id="plugin" width="99999999999999999" type="application/x-webkit-test-netscape"></embed>
+
+        <script>
+            if (window.testRunner)
+                testRunner.dumpAsText();
+            document.getElementById('plugin').style.webkitTransform = 'scale(1)';
+        </script>
+
+    </body>
+</html>
index ac0645f..b3466f2 100644 (file)
@@ -1,3 +1,13 @@
+2014-12-30  Gabor Rapcsanyi  <rgabor@webkit.org>
+
+        Too large plugins are crashing.
+        https://bugs.webkit.org/show_bug.cgi?id=139856
+
+        Reviewed by Darin Adler.
+
+        * WebProcess/Plugins/PluginProxy.cpp:
+        (WebKit::PluginProxy::updateBackingStore): Return false if backingStore cannot be allocated.
+
 2014-12-30  Anders Carlsson  <andersca@apple.com>
 
         Transient local storage namespaces need to ref their storage areas
index 095dcbd..16f99df 100644 (file)
@@ -596,6 +596,8 @@ bool PluginProxy::updateBackingStore()
     
     if (!m_backingStore) {
         m_backingStore = ShareableBitmap::create(backingStoreSize, ShareableBitmap::SupportsAlpha);
+        if (!m_backingStore)
+            return false;
         return true;
     }