Changeset 207560 in webkit
- Timestamp:
- Oct 19, 2016 12:52:38 PM (7 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r207557 r207560 1 2016-10-19 David Kilzer <ddkilzer@apple.com> 2 3 Bug 163670: Refine assertions in WebCore::ImageData constructors 4 <https://webkit.org/b/163670> 5 <rdar://problem/27497338> 6 7 Reviewed by Brent Fulgham. 8 9 No new tests because there is no change in nominal behavior. 10 11 * html/ImageData.cpp: 12 (WebCore::ImageData::ImageData(const IntSize&)): Change to use 13 ASSERT() since the worst-case scenario here is a nullptr deref. 14 Switch to IntSize::area() to compute the area. 15 (WebCore::ImageData::ImageData(const IntSize&, Ref<Uint8ClampedArray>&&)): 16 Add ASSERT() identical to the previous constructor, and change 17 ASSERT_WITH_SECURITY_IMPLICATION() to only fire when m_data is 18 not nullptr and the length check fails. Switch to 19 IntSize::area() to compute the area. 20 1 21 2016-10-19 Myles C. Maxfield <mmaxfield@apple.com> 2 22 -
trunk/Source/WebCore/html/ImageData.cpp
r202887 r207560 114 114 ImageData::ImageData(const IntSize& size) 115 115 : m_size(size) 116 , m_data(Uint8ClampedArray::createUninitialized(size. width() * size.height() * 4))116 , m_data(Uint8ClampedArray::createUninitialized(size.area() * 4)) 117 117 { 118 ASSERT _WITH_SECURITY_IMPLICATION(m_data);118 ASSERT(m_data); 119 119 } 120 120 … … 123 123 , m_data(WTFMove(byteArray)) 124 124 { 125 ASSERT_WITH_SECURITY_IMPLICATION(static_cast<unsigned>(size.width() * size.height() * 4) <= m_data->length()); 125 ASSERT(m_data); 126 ASSERT_WITH_SECURITY_IMPLICATION(!m_data || (size.area() * 4) <= m_data->length()); 126 127 } 127 128
Note: See TracChangeset
for help on using the changeset viewer.