2011-01-11 Matthew Delaney <mdelaney@apple.com>
authormdelaney@apple.com <mdelaney@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 12 Jan 2011 23:35:54 +0000 (23:35 +0000)
committermdelaney@apple.com <mdelaney@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 12 Jan 2011 23:35:54 +0000 (23:35 +0000)
        Reviewed by Simon Fraser.

        Max area bound needed in creation of IOSurface in ImageBufferCG.cpp
        https://bugs.webkit.org/show_bug.cgi?id=52172

        Tests: fast/canvas/canvas-large-dimensions.html

        * platform/graphics/cg/ImageBufferCG.cpp:
        (WebCore::ImageBuffer::ImageBuffer):
2011-01-11  Matthew Delaney  <mdelaney@apple.com>

        Reviewed by Simon Fraser.

        Max area bound needed in creation of IOSurface in ImageBufferCG.cpp
        https://bugs.webkit.org/show_bug.cgi?id=52172

        * fast/canvas/canvas-large-dimensions.html: Added.
        * fast/canvas/canvas-large-dimensions-expected.txt: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@75648 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/canvas/canvas-large-dimensions-expected.txt [new file with mode: 0644]
LayoutTests/fast/canvas/canvas-large-dimensions.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/cg/ImageBufferCG.cpp

index f94903846fc9cada35b04241402d9558273ec852..7db9b56e5344c16a095ffe4fdf4d48f34e8b75d0 100644 (file)
@@ -1,3 +1,13 @@
+2011-01-11  Matthew Delaney  <mdelaney@apple.com>
+
+        Reviewed by Simon Fraser.
+
+        Max area bound needed in creation of IOSurface in ImageBufferCG.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=52172
+
+        * fast/canvas/canvas-large-dimensions.html: Added.
+        * fast/canvas/canvas-large-dimensions-expected.txt: Added.
+
 2011-01-12  Tony Chang  <tony@chromium.org>
 
         Reviewed by Ojan Vafai.
diff --git a/LayoutTests/fast/canvas/canvas-large-dimensions-expected.txt b/LayoutTests/fast/canvas/canvas-large-dimensions-expected.txt
new file mode 100644 (file)
index 0000000..6373fec
--- /dev/null
@@ -0,0 +1,48 @@
+Tests that using reasonably large values for canvas.height and canvas.height don't cause a crash"
+
+PASS height == 1000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS height == 10000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS height == 100000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS height == 1000000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS width == 100
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS width == 1000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS width == 10000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS width == 100000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS width == 1000000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+
diff --git a/LayoutTests/fast/canvas/canvas-large-dimensions.html b/LayoutTests/fast/canvas/canvas-large-dimensions.html
new file mode 100644 (file)
index 0000000..017c34d
--- /dev/null
@@ -0,0 +1,69 @@
+<!DOCTYPE html>
+<title>Canvas test: test large width/height values</title>
+<script src="../js/resources/js-test-pre.js"></script>
+<body>
+<p>Tests that using reasonably large values for canvas.height and canvas.height don't cause a crash"</p>
+<pre id="console"></pre>
+<canvas id="c" class="output" width="100" height="50"><p class="fallback">FAIL (fallback content)</p></canvas>
+<script>
+var canvas = document.getElementById("c");
+var x, y, w=1, h=1;
+
+testHeight(canvas, 1000);
+testHeight(canvas, 10000);
+testHeight(canvas, 100000);
+testHeight(canvas, 1000000);
+
+testWidth(canvas, 100);
+testWidth(canvas, 1000);
+testWidth(canvas, 10000);
+testWidth(canvas, 100000);
+testWidth(canvas, 1000000);
+
+function testHeight(canvas, height) {
+    canvas.width = 50;
+    canvas.height = height;
+    var ctx = canvas.getContext("2d");
+    ctx.fillStyle = "rgba(255, 255, 255, 1)";
+    var msg = "height == "+height;
+    if (canvas.height == height)
+        testPassed(msg);
+    else
+        testFailed(msg);
+    x = canvas.width-2;
+    y = canvas.height-2;
+    ctx.fillRect(x,y,w,h);
+    var data = ctx.getImageData(x,y,w,h);
+    for (var x = 0; x < 4; x++) {
+        var msg = "Actual: " + data.data[x] + " Expected: 255";
+        if (data.data[x] == 255)
+            testPassed(msg);
+        else
+            testFailed(msg);
+    }
+}
+
+function testWidth(canvas, width) {
+    canvas.height = 50;
+    canvas.width = width;
+    var ctx = canvas.getContext("2d");
+    ctx.fillStyle = "rgba(255, 255, 255, 1)";
+    var msg = "width == "+width;
+    if (canvas.width == width)
+        testPassed(msg);
+    else
+        testFailed(msg);
+    x = canvas.width-2;
+    y = canvas.height-2;
+    ctx.fillRect(x,y,w,h);
+    var data = ctx.getImageData(x,y,w,h);
+    for (var x = 0; x < 4; x++) {
+        var msg = "Actual: " + data.data[x] + " Expected: 255";
+        if (data.data[x] == 255)
+            testPassed(msg);
+        else
+            testFailed(msg);
+    }
+}
+</script>
+
index 20271ad7c5566db74b02e46b9ce1a6a0f3be9e8a..3bd3facf1a24cc7c8248d1ed875dc8bdea348a64 100644 (file)
@@ -1,3 +1,15 @@
+2011-01-11  Matthew Delaney  <mdelaney@apple.com>
+
+        Reviewed by Simon Fraser.
+
+        Max area bound needed in creation of IOSurface in ImageBufferCG.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=52172
+
+        Tests: fast/canvas/canvas-large-dimensions.html
+
+        * platform/graphics/cg/ImageBufferCG.cpp:
+        (WebCore::ImageBuffer::ImageBuffer):
+
 2011-01-12  Daniel Bates  <dbates@rim.com>
             And Benjamin C Meyer  <bmeyer@rim.com>
 
index 75a36e540dcad6eba8285db1c607a3fadb2d5e53..023d098e75cc5ba1211dd97b96129e920c794cd4 100644 (file)
@@ -54,6 +54,8 @@ using namespace std;
 namespace WebCore {
 
 #if USE(IOSURFACE_CANVAS_BACKING_STORE)
+static const int maxIOSurfaceDimension = 4096;
+
 static RetainPtr<IOSurfaceRef> createIOSurface(const IntSize& size)
 {
     unsigned pixelFormat = 'BGRA';
@@ -110,12 +112,15 @@ ImageBuffer::ImageBuffer(const IntSize& size, ColorSpace imageColorSpace, Render
     , m_size(size)
     , m_accelerateRendering(renderingMode == Accelerated)
 {
-#if !USE(IOSURFACE_CANVAS_BACKING_STORE)
-    ASSERT(renderingMode == Unaccelerated);
-#endif
     success = false;  // Make early return mean failure.
     if (size.width() < 0 || size.height() < 0)
         return;
+#if USE(IOSURFACE_CANVAS_BACKING_STORE)
+    if (size.width() >= maxIOSurfaceDimension || size.height() >= maxIOSurfaceDimension)
+        m_accelerateRendering = false;
+#else
+    ASSERT(renderingMode == Unaccelerated);
+#endif
 
     unsigned bytesPerRow = size.width();
     if (bytesPerRow > 0x3FFFFFFF) // Protect against overflow