[webkit-changes] [203503] trunk/Source/WebCore

[carlosgc]

Title: [203503] trunk/Source/WebCore

Revision

203503

Author

carlo...@webkit.org

Date

2016-07-21 09:01:20 -0700 (Thu, 21 Jul 2016)

Log Message

[Cairo] Fix a crash in fast/canvas/canvas-getImageData-invalid-result-buffer-crash.html
https://bugs.webkit.org/show_bug.cgi?id=160014

Reviewed by Michael Catanzaro.

In r202887 some null checks were added for JSArray::createUninitialized (and related) but not for the
ImageBuffer cairo implementation.

* platform/graphics/cairo/ImageBufferCairo.cpp:
(WebCore::getImageData): Return early if Uint8ClampedArray::createUninitialized() returns nullptr.

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/graphics/cairo/ImageBufferCairo.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (203502 => 203503)

--- trunk/Source/WebCore/ChangeLog	2016-07-21 13:03:16 UTC (rev 203502)
+++ trunk/Source/WebCore/ChangeLog	2016-07-21 16:01:20 UTC (rev 203503)
@@ -1,3 +1,16 @@
+2016-07-21  Carlos Garcia Campos  <cgar...@igalia.com>
+
+        [Cairo] Fix a crash in fast/canvas/canvas-getImageData-invalid-result-buffer-crash.html
+        https://bugs.webkit.org/show_bug.cgi?id=160014
+
+        Reviewed by Michael Catanzaro.
+
+        In r202887 some null checks were added for JSArray::createUninitialized (and related) but not for the
+        ImageBuffer cairo implementation.
+
+        * platform/graphics/cairo/ImageBufferCairo.cpp:
+        (WebCore::getImageData): Return early if Uint8ClampedArray::createUninitialized() returns nullptr.
+
 2016-07-21  Miguel Gomez  <mago...@igalia.com>
 
         [GTK] The GSTREAMER_GL path in MediaPlayerPrivateGStreamerBase::paintToTextureMapper() is missing a mutex lock

Modified: trunk/Source/WebCore/platform/graphics/cairo/ImageBufferCairo.cpp (203502 => 203503)

--- trunk/Source/WebCore/platform/graphics/cairo/ImageBufferCairo.cpp	2016-07-21 13:03:16 UTC (rev 203502)
+++ trunk/Source/WebCore/platform/graphics/cairo/ImageBufferCairo.cpp	2016-07-21 16:01:20 UTC (rev 203503)
@@ -323,6 +323,8 @@
 RefPtr<Uint8ClampedArray> getImageData(const IntRect& rect, const IntRect& logicalRect, const ImageBufferData& data, const IntSize& size, const IntSize& logicalSize, float resolutionScale)
 {
     RefPtr<Uint8ClampedArray> result = Uint8ClampedArray::createUninitialized(rect.width() * rect.height() * 4);
+    if (!result)
+        return nullptr;
 
     if (rect.x() < 0 || rect.y() < 0 || (rect.x() + rect.width()) > size.width() || (rect.y() + rect.height()) > size.height())
         result->zeroFill();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes