Changeset 208628 in webkit


Ignore:
Timestamp:
Nov 11, 2016 4:32:59 PM (7 years ago)
Author:
Brent Fulgham
Message:

Neutered ArrayBuffers are not properly serialized
https://bugs.webkit.org/show_bug.cgi?id=164647
<rdar://problem/29213490>

Reviewed by David Kilzer.

Source/WebCore:

Correct binding logic to handle ImageBuffers being deserialized from neutered ArrayBuffers.

Test: fast/canvas/neutered-imagedata.html

  • bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneDeserializer::readTerminal):

LayoutTests:

  • fast/canvas/neutered-imagedata-expected.txt: Added.
  • fast/canvas/neutered-imagedata.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r208624 r208628  
     12016-11-11  Brent Fulgham  <bfulgham@apple.com>
     2
     3        Neutered ArrayBuffers are not properly serialized
     4        https://bugs.webkit.org/show_bug.cgi?id=164647
     5        <rdar://problem/29213490>
     6
     7        Reviewed by David Kilzer.
     8
     9        * fast/canvas/neutered-imagedata-expected.txt: Added.
     10        * fast/canvas/neutered-imagedata.html: Added.
     11
    1122016-11-11  Wenson Hsieh  <wenson_hsieh@apple.com>
    213

  • trunk/Source/WebCore/ChangeLog

    r208624 r208628  
     12016-11-11  Brent Fulgham  <bfulgham@apple.com>
     2
     3        Neutered ArrayBuffers are not properly serialized
     4        https://bugs.webkit.org/show_bug.cgi?id=164647
     5        <rdar://problem/29213490>
     6
     7        Reviewed by David Kilzer.
     8
     9        Correct binding logic to handle ImageBuffers being deserialized from neutered ArrayBuffers.
     10
     11        Test: fast/canvas/neutered-imagedata.html
     12
     13        * bindings/js/SerializedScriptValue.cpp:
     14        (WebCore::CloneDeserializer::readTerminal):
     15
    1162016-11-11  Wenson Hsieh  <wenson_hsieh@apple.com>
    217

  • trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp

    r208602 r208628  
    22752275            if (!read(length))
    22762276                return JSValue();
    2277             if (m_end < ((uint8_t*)0) + length || m_ptr > m_end - length) {
     2277            if (m_end - m_ptr < length) {
    22782278                fail();
    22792279                return JSValue();
     
    22832283                return jsNull();
    22842284            }
    2285             RefPtr<ImageData> result = ImageData::create(IntSize(width, height));
    2286             memcpy(result->data()->data(), m_ptr, length);
     2285            IntSize imageSize(width, height);
     2286            RELEASE_ASSERT(!length || (imageSize.area() * 4).unsafeGet() <= length);
     2287            RefPtr<ImageData> result = ImageData::create(imageSize);
     2288            if (!result) {
     2289                fail();
     2290                return JSValue();
     2291            }
     2292            if (length)
     2293                memcpy(result->data()->data(), m_ptr, length);
     2294            else
     2295                result->data()->zeroFill();
    22872296            m_ptr += length;
    22882297            return getJSValue(result.get());
Note: See TracChangeset for help on using the changeset viewer.