Changeset 209207 in webkit

Timestamp:

Dec 1, 2016 2:23:47 PM (7 years ago)

Author:

matthew_hanson@apple.com

Message:

Merge r208628. rdar://problem/29277337

Location:

branches/safari-602-branch

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/canvas/neutered-imagedata-expected.txt (added)
• LayoutTests/fast/canvas/neutered-imagedata.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/SerializedScriptValue.cpp (modified) (2 diffs)

branches/safari-602-branch/LayoutTests/ChangeLog

@@ +1 @@
+2016-12-01  Matthew Hanson  <matthew_hanson@apple.com>
+
+        Merge r208628. rdar://problem/29277337
+
+    2016-11-11  Brent Fulgham  <bfulgham@apple.com>
+
+            Neutered ArrayBuffers are not properly serialized
+            https://bugs.webkit.org/show_bug.cgi?id=164647
+            <rdar://problem/29213490>
+
+            Reviewed by David Kilzer.
+
+            * fast/canvas/neutered-imagedata-expected.txt: Added.
+            * fast/canvas/neutered-imagedata.html: Added.
+
 2016-11-14  Matthew Hanson  <matthew_hanson@apple.com>
 

branches/safari-602-branch/Source/WebCore/ChangeLog

@@ +1 @@
+2016-12-01  Matthew Hanson  <matthew_hanson@apple.com>
+
+        Merge r208628. rdar://problem/29277337
+
+    2016-11-11  Brent Fulgham  <bfulgham@apple.com>
+
+            Neutered ArrayBuffers are not properly serialized
+            https://bugs.webkit.org/show_bug.cgi?id=164647
+            <rdar://problem/29213490>
+
+            Reviewed by David Kilzer.
+
+            Correct binding logic to handle ImageBuffers being deserialized from neutered ArrayBuffers.
+
+            Test: fast/canvas/neutered-imagedata.html
+
+            * bindings/js/SerializedScriptValue.cpp:
+            (WebCore::CloneDeserializer::readTerminal):
+
 2016-11-28  Matthew Hanson  <matthew_hanson@apple.com>
 

branches/safari-602-branch/Source/WebCore/bindings/js/SerializedScriptValue.cpp

@@ -2270 +2270 @@
             if (!read(length))
                 return JSValue();
-            if (m_end < ((uint8_t*)0) + length || m_ptr > m_end - length) {
+            if (m_end - m_ptr < length) {
                 fail();
                 return JSValue();
@@ -2278 +2278 @@
                 return jsNull();
             }
-            RefPtr<ImageData> result = ImageData::create(IntSize(width, height));
-            memcpy(result->data()->data(), m_ptr, length);
+            IntSize imageSize(width, height);
+            RELEASE_ASSERT(!length || (imageSize.area() * 4).unsafeGet() <= length);
+            RefPtr<ImageData> result = ImageData::create(imageSize);
+            if (!result) {
+                fail();
+                return JSValue();
+            }
+            if (length)
+                memcpy(result->data()->data(), m_ptr, length);
+            else
+                result->data()->zeroFill();
             m_ptr += length;
             return getJSValue(result.get());