Bug 21781: WebCore::Settings should have a maximum decoded image size setting
authorddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 23 Oct 2008 02:53:02 +0000 (02:53 +0000)
committerddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 23 Oct 2008 02:53:02 +0000 (02:53 +0000)
        <https://bugs.webkit.org/show_bug.cgi?id=21781>

        Reviewed by Antti.

        No tests since there is no change in behavior.

        * loader/CachedImage.cpp:
        (WebCore::CachedImage::maximumDecodedImageSize): Added.  Returns
        WebCore::Settings::maximumDecodedImageSize() or 0 on error.
        (WebCore::CachedImage::data): Flag an error if the image being
        loaded is too big.
        * loader/CachedImage.h:
        (WebCore::CachedImage::maximumDecodedImageSize): Added declaration.
        * page/Settings.cpp:
        (WebCore::Settings::Settings): Initialize m_maximumDecodedImageSize
        to the maximum value of size_t.
        * page/Settings.h:
        (WebCore::Settings::setMaximumDecodedImageSize): Added method.
        (WebCore::Settings::maximumDecodedImageSize): Ditto.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@37803 268f45cc-cd09-0410-ab3c-d52691b4dbfc

WebCore/ChangeLog
WebCore/loader/CachedImage.cpp
WebCore/loader/CachedImage.h
WebCore/loader/CachedResource.h
WebCore/page/Settings.cpp
WebCore/page/Settings.h

index a8abb2e..5253da5 100644 (file)
@@ -1,3 +1,27 @@
+2008-10-22  David Kilzer  <ddkilzer@apple.com>
+
+        Bug 21781: WebCore::Settings should have a maximum decoded image size setting
+
+        <https://bugs.webkit.org/show_bug.cgi?id=21781>
+
+        Reviewed by Antti.
+
+        No tests since there is no change in behavior.
+
+        * loader/CachedImage.cpp:
+        (WebCore::CachedImage::maximumDecodedImageSize): Added.  Returns
+        WebCore::Settings::maximumDecodedImageSize() or 0 on error.
+        (WebCore::CachedImage::data): Flag an error if the image being
+        loaded is too big.
+        * loader/CachedImage.h:
+        (WebCore::CachedImage::maximumDecodedImageSize): Added declaration.
+        * page/Settings.cpp:
+        (WebCore::Settings::Settings): Initialize m_maximumDecodedImageSize
+        to the maximum value of size_t.
+        * page/Settings.h:
+        (WebCore::Settings::setMaximumDecodedImageSize): Added method.
+        (WebCore::Settings::maximumDecodedImageSize): Ditto.
+
 2008-10-22  Mike Pinkerton  <pinkerton@chromium.org>
 
         Reviewed by Dan Bernstein.
 2008-10-22  Mike Pinkerton  <pinkerton@chromium.org>
 
         Reviewed by Dan Bernstein.
index 4dde549..f636184 100644 (file)
 #include "CachedResourceClient.h"
 #include "CachedResourceClientWalker.h"
 #include "DocLoader.h"
 #include "CachedResourceClient.h"
 #include "CachedResourceClientWalker.h"
 #include "DocLoader.h"
+#include "Frame.h"
 #include "FrameView.h"
 #include "Request.h"
 #include "FrameView.h"
 #include "Request.h"
+#include "Settings.h"
 #include "SystemTime.h"
 #include <wtf/Vector.h>
 
 #include "SystemTime.h"
 #include <wtf/Vector.h>
 
@@ -238,6 +240,15 @@ inline void CachedImage::createImage()
     m_image = BitmapImage::create(this);
 }
 
     m_image = BitmapImage::create(this);
 }
 
+size_t CachedImage::maximumDecodedImageSize()
+{
+    Frame* frame = m_request ? m_request->docLoader()->frame() : 0;
+    if (!frame)
+        return 0;
+    Settings* settings = frame->settings();
+    return settings ? settings->maximumDecodedImageSize() : 0;
+}
+
 void CachedImage::data(PassRefPtr<SharedBuffer> data, bool allDataReceived)
 {
     m_data = data;
 void CachedImage::data(PassRefPtr<SharedBuffer> data, bool allDataReceived)
 {
     m_data = data;
@@ -256,8 +267,10 @@ void CachedImage::data(PassRefPtr<SharedBuffer> data, bool allDataReceived)
     // network causes observers to repaint, which will force that chunk
     // to decode.
     if (sizeAvailable || allDataReceived) {
     // network causes observers to repaint, which will force that chunk
     // to decode.
     if (sizeAvailable || allDataReceived) {
-        if (m_image->isNull()) {
-            // FIXME: I'm not convinced this case can even be hit.
+        size_t maxDecodedImageSize = maximumDecodedImageSize();
+        IntSize s = imageSize(1.0f);
+        size_t estimatedDecodedImageSize = s.width() * s.height() * 4; // no overflow check
+        if (m_image->isNull() || (maxDecodedImageSize > 0 && estimatedDecodedImageSize > maxDecodedImageSize)) {
             error();
             if (inCache())
                 cache()->remove(this);
             error();
             if (inCache())
                 cache()->remove(this);
index 71a1ee7..f24e2fb 100644 (file)
@@ -88,6 +88,7 @@ public:
 
 private:
     void createImage();
 
 private:
     void createImage();
+    size_t maximumDecodedImageSize();
     void notifyObservers();
     void decodedDataDeletionTimerFired(Timer<CachedImage>*);
 
     void notifyObservers();
     void decodedDataDeletionTimerFired(Timer<CachedImage>*);
 
index 5e469dd..c56a889 100644 (file)
@@ -168,7 +168,7 @@ protected:
     void setEncodedSize(unsigned);
     void setDecodedSize(unsigned);
     void didAccessDecodedData(double timeStamp);
     void setEncodedSize(unsigned);
     void setDecodedSize(unsigned);
     void didAccessDecodedData(double timeStamp);
-    
+
     HashCountedSet<CachedResourceClient*> m_clients;
 
     String m_url;
     HashCountedSet<CachedResourceClient*> m_clients;
 
     String m_url;
index c630042..603d064 100644 (file)
@@ -32,6 +32,7 @@
 #include "JavaScriptDebugServer.h"
 #include "Page.h"
 #include "PageCache.h"
 #include "JavaScriptDebugServer.h"
 #include "Page.h"
 #include "PageCache.h"
+#include <limits>
 
 #if ENABLE(DATABASE)
 #include "DatabaseTracker.h"
 
 #if ENABLE(DATABASE)
 #include "DatabaseTracker.h"
@@ -86,6 +87,7 @@ Settings::Settings(Page* page)
     , m_shouldPaintCustomScrollbars(false)
     , m_zoomsTextOnly(false)
     , m_enforceCSSMIMETypeInStrictMode(true)
     , m_shouldPaintCustomScrollbars(false)
     , m_zoomsTextOnly(false)
     , m_enforceCSSMIMETypeInStrictMode(true)
+    , m_maximumDecodedImageSize(std::numeric_limits<size_t>::max())
 {
     // A Frame may not have been created yet, so we initialize the AtomicString 
     // hash before trying to use it.
 {
     // A Frame may not have been created yet, so we initialize the AtomicString 
     // hash before trying to use it.
index 854faff..3eb0c4d 100644 (file)
@@ -174,7 +174,10 @@ namespace WebCore {
         
         void setEnforceCSSMIMETypeInStrictMode(bool);
         bool enforceCSSMIMETypeInStrictMode() { return m_enforceCSSMIMETypeInStrictMode; }
         
         void setEnforceCSSMIMETypeInStrictMode(bool);
         bool enforceCSSMIMETypeInStrictMode() { return m_enforceCSSMIMETypeInStrictMode; }
+
+        void setMaximumDecodedImageSize(size_t size) { m_maximumDecodedImageSize = size; }
+        size_t maximumDecodedImageSize() const { return m_maximumDecodedImageSize; }
+
 #if USE(SAFARI_THEME)
         // Windows debugging pref (global) for switching between the Aqua look and a native windows look.
         static void setShouldPaintNativeControls(bool);
 #if USE(SAFARI_THEME)
         // Windows debugging pref (global) for switching between the Aqua look and a native windows look.
         static void setShouldPaintNativeControls(bool);
@@ -229,6 +232,7 @@ namespace WebCore {
         bool m_shouldPaintCustomScrollbars : 1;
         bool m_zoomsTextOnly : 1;
         bool m_enforceCSSMIMETypeInStrictMode : 1;
         bool m_shouldPaintCustomScrollbars : 1;
         bool m_zoomsTextOnly : 1;
         bool m_enforceCSSMIMETypeInStrictMode : 1;
+        size_t m_maximumDecodedImageSize;
 
 #if USE(SAFARI_THEME)
         static bool gShouldPaintNativeControls;
 
 #if USE(SAFARI_THEME)
         static bool gShouldPaintNativeControls;