Reviewed by Simon Fraser.
Max area bound needed in creation of IOSurface in ImageBufferCG.cpp
https://bugs.webkit.org/show_bug.cgi?id=52172
Tests: fast/canvas/canvas-large-dimensions.html
* platform/graphics/cg/ImageBufferCG.cpp:
(WebCore::ImageBuffer::ImageBuffer):
2011-01-11 Matthew Delaney <mdelaney@apple.com>
Reviewed by Simon Fraser.
Max area bound needed in creation of IOSurface in ImageBufferCG.cpp
https://bugs.webkit.org/show_bug.cgi?id=52172
* fast/canvas/canvas-large-dimensions.html: Added.
* fast/canvas/canvas-large-dimensions-expected.txt: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@75648
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2011-01-11 Matthew Delaney <mdelaney@apple.com>
+
+ Reviewed by Simon Fraser.
+
+ Max area bound needed in creation of IOSurface in ImageBufferCG.cpp
+ https://bugs.webkit.org/show_bug.cgi?id=52172
+
+ * fast/canvas/canvas-large-dimensions.html: Added.
+ * fast/canvas/canvas-large-dimensions-expected.txt: Added.
+
2011-01-12 Tony Chang <tony@chromium.org>
Reviewed by Ojan Vafai.
--- /dev/null
+Tests that using reasonably large values for canvas.height and canvas.height don't cause a crash"
+
+PASS height == 1000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS height == 10000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS height == 100000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS height == 1000000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS width == 100
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS width == 1000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS width == 10000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS width == 100000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS width == 1000000
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+PASS Actual: 255 Expected: 255
+
--- /dev/null
+<!DOCTYPE html>
+<title>Canvas test: test large width/height values</title>
+<script src="../js/resources/js-test-pre.js"></script>
+<body>
+<p>Tests that using reasonably large values for canvas.height and canvas.height don't cause a crash"</p>
+<pre id="console"></pre>
+<canvas id="c" class="output" width="100" height="50"><p class="fallback">FAIL (fallback content)</p></canvas>
+<script>
+var canvas = document.getElementById("c");
+var x, y, w=1, h=1;
+
+testHeight(canvas, 1000);
+testHeight(canvas, 10000);
+testHeight(canvas, 100000);
+testHeight(canvas, 1000000);
+
+testWidth(canvas, 100);
+testWidth(canvas, 1000);
+testWidth(canvas, 10000);
+testWidth(canvas, 100000);
+testWidth(canvas, 1000000);
+
+function testHeight(canvas, height) {
+ canvas.width = 50;
+ canvas.height = height;
+ var ctx = canvas.getContext("2d");
+ ctx.fillStyle = "rgba(255, 255, 255, 1)";
+ var msg = "height == "+height;
+ if (canvas.height == height)
+ testPassed(msg);
+ else
+ testFailed(msg);
+ x = canvas.width-2;
+ y = canvas.height-2;
+ ctx.fillRect(x,y,w,h);
+ var data = ctx.getImageData(x,y,w,h);
+ for (var x = 0; x < 4; x++) {
+ var msg = "Actual: " + data.data[x] + " Expected: 255";
+ if (data.data[x] == 255)
+ testPassed(msg);
+ else
+ testFailed(msg);
+ }
+}
+
+function testWidth(canvas, width) {
+ canvas.height = 50;
+ canvas.width = width;
+ var ctx = canvas.getContext("2d");
+ ctx.fillStyle = "rgba(255, 255, 255, 1)";
+ var msg = "width == "+width;
+ if (canvas.width == width)
+ testPassed(msg);
+ else
+ testFailed(msg);
+ x = canvas.width-2;
+ y = canvas.height-2;
+ ctx.fillRect(x,y,w,h);
+ var data = ctx.getImageData(x,y,w,h);
+ for (var x = 0; x < 4; x++) {
+ var msg = "Actual: " + data.data[x] + " Expected: 255";
+ if (data.data[x] == 255)
+ testPassed(msg);
+ else
+ testFailed(msg);
+ }
+}
+</script>
+
+2011-01-11 Matthew Delaney <mdelaney@apple.com>
+
+ Reviewed by Simon Fraser.
+
+ Max area bound needed in creation of IOSurface in ImageBufferCG.cpp
+ https://bugs.webkit.org/show_bug.cgi?id=52172
+
+ Tests: fast/canvas/canvas-large-dimensions.html
+
+ * platform/graphics/cg/ImageBufferCG.cpp:
+ (WebCore::ImageBuffer::ImageBuffer):
+
2011-01-12 Daniel Bates <dbates@rim.com>
And Benjamin C Meyer <bmeyer@rim.com>
namespace WebCore {
#if USE(IOSURFACE_CANVAS_BACKING_STORE)
+static const int maxIOSurfaceDimension = 4096;
+
static RetainPtr<IOSurfaceRef> createIOSurface(const IntSize& size)
{
unsigned pixelFormat = 'BGRA';
, m_size(size)
, m_accelerateRendering(renderingMode == Accelerated)
{
-#if !USE(IOSURFACE_CANVAS_BACKING_STORE)
- ASSERT(renderingMode == Unaccelerated);
-#endif
success = false; // Make early return mean failure.
if (size.width() < 0 || size.height() < 0)
return;
+#if USE(IOSURFACE_CANVAS_BACKING_STORE)
+ if (size.width() >= maxIOSurfaceDimension || size.height() >= maxIOSurfaceDimension)
+ m_accelerateRendering = false;
+#else
+ ASSERT(renderingMode == Unaccelerated);
+#endif
unsigned bytesPerRow = size.width();
if (bytesPerRow > 0x3FFFFFFF) // Protect against overflow
git://git.webkit.org / WebKit-https.git / commitdiff