Changeset 232618 in webkit


Ignore:
Timestamp:
Jun 8, 2018 12:59:08 AM (5 years ago)
Author:
magomez@igalia.com
Message:

[GTK][WPE] Wrong result when calling ImageBufferCairo's getImageData()
https://bugs.webkit.org/show_bug.cgi?id=186384

Reviewed by Michael Catanzaro.

Fix calculations so the result is the expected one.

  • platform/graphics/cairo/ImageBufferCairo.cpp:

(WebCore::getImageData):

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r232615 r232618  
     12018-06-08  Miguel Gomez  <magomez@igalia.com>
     2
     3        [GTK][WPE] Wrong result when calling ImageBufferCairo's getImageData()
     4        https://bugs.webkit.org/show_bug.cgi?id=186384
     5
     6        Reviewed by Michael Catanzaro.
     7
     8        Fix calculations so the result is the expected one.
     9
     10        * platform/graphics/cairo/ImageBufferCairo.cpp:
     11        (WebCore::getImageData):
     12
    1132018-06-07  Fujii Hironori  <Hironori.Fujii@sony.com>
    214
  • trunk/Source/WebCore/platform/graphics/cairo/ImageBufferCairo.cpp

    r232535 r232618  
    350350RefPtr<Uint8ClampedArray> getImageData(const IntRect& rect, const IntRect& logicalRect, const ImageBufferData& data, const IntSize& size, const IntSize& logicalSize, float resolutionScale)
    351351{
    352     auto result = Uint8ClampedArray::createUninitialized(rect.width() * rect.height() * 4);
     352    // The area can overflow if the rect is too big.
     353    Checked<unsigned, RecordOverflow> area = 4;
     354    area *= rect.width();
     355    area *= rect.height();
     356    if (area.hasOverflowed())
     357        return nullptr;
     358
     359    auto result = Uint8ClampedArray::createUninitialized(area.unsafeGet());
    353360    if (!result)
    354361        return nullptr;
    355362
    356     if (rect.x() < 0 || rect.y() < 0 || (rect.x() + rect.width()) > size.width() || (rect.y() + rect.height()) > size.height())
     363    // Can overflow, as we are adding 2 ints.
     364    int endx = 0;
     365    if (!WTF::safeAdd(rect.x(), rect.width(), endx))
     366        return nullptr;
     367
     368    // Can overflow, as we are adding 2 ints.
     369    int endy = 0;
     370    if (!WTF::safeAdd(rect.y(), rect.height(), endy))
     371        return nullptr;
     372
     373    if (rect.x() < 0 || rect.y() < 0 || endx > size.width() || endy > size.height())
    357374        result->zeroFill();
    358375
     
    363380        originx = 0;
    364381    }
    365     int endx = rect.maxX();
     382
    366383    if (endx > size.width())
    367384        endx = size.width();
     
    374391        originy = 0;
    375392    }
    376     int endy = rect.maxY();
     393
    377394    if (endy > size.height())
    378395        endy = size.height();
    379396    int numRows = endy - originy;
     397
     398    // Nothing will be copied, so just return the result.
     399    if (numColumns <= 0 || numRows <= 0)
     400        return result;
    380401
    381402    // The size of the derived surface is in BackingStoreCoordinateSystem.
Note: See TracChangeset for help on using the changeset viewer.