Changeset 207708 in webkit


Ignore:
Timestamp:
Oct 21, 2016 11:38:36 PM (7 years ago)
Author:
ddkilzer@apple.com
Message:

Bug 163762: IntSize::area() should used checked arithmetic
<https://webkit.org/b/163762>

Reviewed by Darin Adler.

Source/WebCore:

No new tests since no change in nominal behavior.

  • platform/graphics/IntSize.h:

(WebCore::IntSize::area): Change to return a
Checked<unsigned, T> value. Use WTF:: namespace to avoid
including another header.

  • platform/graphics/IntRect.h:

(WebCore::IntRect::area): Ditto.

The remaining changes are to use the Checked<unsigned> return
value of IntSize::area() and IntRect::area() correctly in
context, in addition to items noted below.

  • html/HTMLPlugInImageElement.cpp:

(WebCore::HTMLPlugInImageElement::isTopLevelFullPagePlugin):
Declare contentWidth and contentHeight as float values to
prevent overflow when computing the area, and to make the
inequality comparison in the return statement uses the same type
for both sides.

  • html/ImageData.cpp:

(WebCore::ImageData::ImageData):

  • html/MediaElementSession.cpp:

(WebCore::isElementRectMostlyInMainFrame):

  • platform/graphics/ImageBackingStore.h:

(WebCore::ImageBackingStore::setSize): Restructure logic to
compute area only once.
(WebCore::ImageBackingStore::clear):

  • platform/graphics/ImageFrame.h:

(WebCore::ImageFrame::frameBytes):

  • platform/graphics/ImageSource.cpp:

(WebCore::ImageSource::maximumSubsamplingLevel):

  • platform/graphics/ca/LayerPool.cpp:

(WebCore::LayerPool::backingStoreBytesForSize):

  • platform/graphics/cg/ImageDecoderCG.cpp:

(WebCore::ImageDecoder::frameBytesAtIndex):

  • platform/graphics/filters/FEGaussianBlur.cpp:

(WebCore::FEGaussianBlur::platformApplySoftware):

  • platform/graphics/filters/FilterEffect.cpp:

(WebCore::FilterEffect::asUnmultipliedImage):
(WebCore::FilterEffect::asPremultipliedImage):
(WebCore::FilterEffect::copyUnmultipliedImage):
(WebCore::FilterEffect::copyPremultipliedImage):
(WebCore::FilterEffect::createUnmultipliedImageResult):
(WebCore::FilterEffect::createPremultipliedImageResult):

  • platform/graphics/win/ImageBufferDataDirect2D.cpp:

(WebCore::ImageBufferData::getData): Update overflow check,
rename local variable to numBytes, and compute numBytes once.

  • platform/graphics/win/ImageDecoderDirect2D.cpp:

(WebCore::ImageDecoder::frameBytesAtIndex):

  • platform/image-decoders/ImageDecoder.cpp:

(WebCore::ImageDecoder::frameBytesAtIndex):

  • platform/ios/LegacyTileLayerPool.mm:

(WebCore::LegacyTileLayerPool::bytesBackingLayerWithPixelSize):

  • rendering/RenderLayerCompositor.cpp:

(WebCore::RenderLayerCompositor::requiresCompositingForCanvas):

  • rendering/shapes/Shape.cpp:

(WebCore::Shape::createRasterShape):

Source/WebKit2:

  • Shared/ShareableBitmap.cpp:

(WebKit::ShareableBitmap::create): Add overflow check and return
nullptr on overflow.
(WebKit::ShareableBitmap::createShareable): Ditto.
(WebKit::ShareableBitmap::create): Change debug assert for
adequate buffer size check into release check.

  • Shared/ShareableBitmap.h:

(WebKit::ShareableBitmap::numBytesForSize): Change to return a
Checked<unsigned, RecordOverflow> value.
(WebKit::ShareableBitmap::sizeInBytes):

  • Shared/cairo/ShareableBitmapCairo.cpp:

(WebKit::ShareableBitmap::numBytesForSize): Ditto.

  • UIProcess/API/Cocoa/WKWebView.mm:

(-[WKWebView _takeViewSnapshot]): Call unsafeGet().

Tools:

  • TestWebKitAPI/Tests/WebCore/IntRect.cpp:

(TestWebKitAPI::TEST): Call unsafeGet().

  • TestWebKitAPI/Tests/WebCore/IntSize.cpp:

(TestWebKitAPI::TEST): Ditto.

Location:
trunk
Files:
27 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r207706 r207708  
     12016-10-21  David Kilzer  <ddkilzer@apple.com>
     2
     3        Bug 163762: IntSize::area() should used checked arithmetic
     4        <https://webkit.org/b/163762>
     5
     6        Reviewed by Darin Adler.
     7
     8        No new tests since no change in nominal behavior.
     9
     10        * platform/graphics/IntSize.h:
     11        (WebCore::IntSize::area): Change to return a
     12        Checked<unsigned, T> value. Use WTF:: namespace to avoid
     13        including another header.
     14
     15        * platform/graphics/IntRect.h:
     16        (WebCore::IntRect::area): Ditto.
     17
     18        The remaining changes are to use the Checked<unsigned> return
     19        value of IntSize::area() and IntRect::area() correctly in
     20        context, in addition to items noted below.
     21
     22        * html/HTMLPlugInImageElement.cpp:
     23        (WebCore::HTMLPlugInImageElement::isTopLevelFullPagePlugin):
     24        Declare contentWidth and contentHeight as float values to
     25        prevent overflow when computing the area, and to make the
     26        inequality comparison in the return statement uses the same type
     27        for both sides.
     28        * html/ImageData.cpp:
     29        (WebCore::ImageData::ImageData):
     30        * html/MediaElementSession.cpp:
     31        (WebCore::isElementRectMostlyInMainFrame):
     32        * platform/graphics/ImageBackingStore.h:
     33        (WebCore::ImageBackingStore::setSize): Restructure logic to
     34        compute area only once.
     35        (WebCore::ImageBackingStore::clear):
     36        * platform/graphics/ImageFrame.h:
     37        (WebCore::ImageFrame::frameBytes):
     38        * platform/graphics/ImageSource.cpp:
     39        (WebCore::ImageSource::maximumSubsamplingLevel):
     40        * platform/graphics/ca/LayerPool.cpp:
     41        (WebCore::LayerPool::backingStoreBytesForSize):
     42        * platform/graphics/cg/ImageDecoderCG.cpp:
     43        (WebCore::ImageDecoder::frameBytesAtIndex):
     44        * platform/graphics/filters/FEGaussianBlur.cpp:
     45        (WebCore::FEGaussianBlur::platformApplySoftware):
     46        * platform/graphics/filters/FilterEffect.cpp:
     47        (WebCore::FilterEffect::asUnmultipliedImage):
     48        (WebCore::FilterEffect::asPremultipliedImage):
     49        (WebCore::FilterEffect::copyUnmultipliedImage):
     50        (WebCore::FilterEffect::copyPremultipliedImage):
     51        (WebCore::FilterEffect::createUnmultipliedImageResult):
     52        (WebCore::FilterEffect::createPremultipliedImageResult):
     53        * platform/graphics/win/ImageBufferDataDirect2D.cpp:
     54        (WebCore::ImageBufferData::getData): Update overflow check,
     55        rename local variable to numBytes, and compute numBytes once.
     56        * platform/graphics/win/ImageDecoderDirect2D.cpp:
     57        (WebCore::ImageDecoder::frameBytesAtIndex):
     58        * platform/image-decoders/ImageDecoder.cpp:
     59        (WebCore::ImageDecoder::frameBytesAtIndex):
     60        * platform/ios/LegacyTileLayerPool.mm:
     61        (WebCore::LegacyTileLayerPool::bytesBackingLayerWithPixelSize):
     62        * rendering/RenderLayerCompositor.cpp:
     63        (WebCore::RenderLayerCompositor::requiresCompositingForCanvas):
     64        * rendering/shapes/Shape.cpp:
     65        (WebCore::Shape::createRasterShape):
     66
    1672016-10-21  Gavin Barraclough  <barraclough@apple.com>
    268
  • trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp

    r207458 r207708  
    590590    IntSize visibleSize = frame.view()->visibleSize();
    591591    LayoutRect contentRect = renderer.contentBoxRect();
    592     int contentWidth = contentRect.width();
    593     int contentHeight = contentRect.height();
    594     return is100Percent(style.width()) && is100Percent(style.height()) && contentWidth * contentHeight > visibleSize.area() * sizingFullPageAreaRatioThreshold;
     592    float contentWidth = contentRect.width();
     593    float contentHeight = contentRect.height();
     594    return is100Percent(style.width()) && is100Percent(style.height()) && contentWidth * contentHeight > visibleSize.area().unsafeGet() * sizingFullPageAreaRatioThreshold;
    595595}
    596596   
  • trunk/Source/WebCore/html/ImageData.cpp

    r207560 r207708  
    114114ImageData::ImageData(const IntSize& size)
    115115    : m_size(size)
    116     , m_data(Uint8ClampedArray::createUninitialized(size.area() * 4))
     116    , m_data(Uint8ClampedArray::createUninitialized((size.area() * 4).unsafeGet()))
    117117{
    118118    ASSERT(m_data);
     
    124124{
    125125    ASSERT(m_data);
    126     ASSERT_WITH_SECURITY_IMPLICATION(!m_data || (size.area() * 4) <= m_data->length());
     126    ASSERT_WITH_SECURITY_IMPLICATION(!m_data || (size.area() * 4).unsafeGet() <= m_data->length());
    127127}
    128128
  • trunk/Source/WebCore/html/MediaElementSession.cpp

    r207220 r207708  
    676676    IntRect mainFrameRectAdjustedForScrollPosition = IntRect(-mainFrameView->documentScrollPositionRelativeToViewOrigin(), mainFrameView->contentsSize());
    677677    IntRect elementRectInMainFrame = element.clientRect();
    678     unsigned int totalElementArea = elementRectInMainFrame.area();
     678    unsigned totalElementArea = elementRectInMainFrame.area().unsafeGet();
    679679    elementRectInMainFrame.intersect(mainFrameRectAdjustedForScrollPosition);
    680680
    681     return elementRectInMainFrame.area() > totalElementArea / 2;
     681    return elementRectInMainFrame.area().unsafeGet() > totalElementArea / 2;
    682682}
    683683
  • trunk/Source/WebCore/platform/graphics/ImageBackingStore.h

    r206156 r207708  
    5252    bool setSize(const IntSize& size)
    5353    {
    54         if (size.isEmpty() || !m_pixels.tryReserveCapacity(size.area()))
     54        if (size.isEmpty())
    5555            return false;
    5656
    57         m_pixels.resize(size.area());
     57        unsigned area = size.area().unsafeGet();
     58        if (!m_pixels.tryReserveCapacity(area))
     59            return false;
     60
     61        m_pixels.resize(area);
    5862        m_pixelsPtr = m_pixels.data();
    5963        m_size = size;
     
    7579    void clear()
    7680    {
    77         memset(m_pixelsPtr, 0, m_size.area() * sizeof(RGBA32));
     81        memset(m_pixelsPtr, 0, (m_size.area() * sizeof(RGBA32)).unsafeGet());
    7882    }
    7983
  • trunk/Source/WebCore/platform/graphics/ImageFrame.h

    r207182 r207708  
    110110    IntSize size() const;
    111111    IntSize sizeRespectingOrientation() const { return !m_orientation.usesWidthAsHeight() ? size() : size().transposedSize(); }
    112     unsigned frameBytes() const { return hasNativeImage() ? size().area() * sizeof(RGBA32) : 0; }
     112    unsigned frameBytes() const { return hasNativeImage() ? (size().area() * sizeof(RGBA32)).unsafeGet() : 0; }
    113113    SubsamplingLevel subsamplingLevel() const { return m_subsamplingLevel; }
    114114
  • trunk/Source/WebCore/platform/graphics/ImageSource.cpp

    r207357 r207708  
    191191
    192192    for (; level < SubsamplingLevel::Last; ++level) {
    193         if (frameSizeAtIndex(0, level).area() < maximumImageAreaBeforeSubsampling)
     193        if (frameSizeAtIndex(0, level).area().unsafeGet() < maximumImageAreaBeforeSubsampling)
    194194            break;
    195195    }
  • trunk/Source/WebCore/platform/graphics/IntRect.h

    r205881 r207708  
    9292    int width() const { return m_size.width(); }
    9393    int height() const { return m_size.height(); }
    94    
    95     unsigned area() const { return m_size.area(); }
     94
     95    template <typename T = WTF::CrashOnOverflow>
     96    Checked<unsigned, T> area() const { return m_size.area<T>(); }
    9697
    9798    void setX(int x) { m_location.setX(x); }
  • trunk/Source/WebCore/platform/graphics/IntSize.h

    r206635 r207708  
    132132    WEBCORE_EXPORT IntSize constrainedBetween(const IntSize& min, const IntSize& max) const;
    133133
    134     unsigned area() const
    135     {
    136         return abs(m_width) * abs(m_height);
     134    template <typename T = WTF::CrashOnOverflow>
     135    Checked<unsigned, T> area() const
     136    {
     137        return Checked<unsigned, T>(abs(m_width)) * abs(m_height);
    137138    }
    138139
  • trunk/Source/WebCore/platform/graphics/ca/LayerPool.cpp

    r176459 r207708  
    5757unsigned LayerPool::backingStoreBytesForSize(const IntSize& size)
    5858{
    59     return size.width() * size.height() * 4;
     59    return (size.area() * 4).unsafeGet();
    6060}
    6161
  • trunk/Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp

    r207216 r207708  
    337337{
    338338    IntSize frameSize = frameSizeAtIndex(index, subsamplingLevel);
    339     return frameSize.area() * 4;
     339    return (frameSize.area() * 4).unsafeGet();
    340340}
    341341
  • trunk/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp

    r202887 r207708  
    540540    IntSize paintSize = absolutePaintRect().size();
    541541    paintSize.scale(filter().filterScale());
    542     RefPtr<Uint8ClampedArray> tmpImageData = Uint8ClampedArray::createUninitialized(paintSize.width() * paintSize.height() * 4);
     542    RefPtr<Uint8ClampedArray> tmpImageData = Uint8ClampedArray::createUninitialized((paintSize.area() * 4).unsafeGet());
    543543    if (!tmpImageData) {
    544544        WTFLogAlways("FEGaussianBlur::platformApplySoftware Unable to create buffer. Requested size was %d x %d\n", paintSize.width(), paintSize.height());
  • trunk/Source/WebCore/platform/graphics/filters/FilterEffect.cpp

    r202887 r207708  
    238238    ASSERT(!ImageBuffer::sizeNeedsClamping(scaledSize));
    239239    scaledSize.scale(m_filter.filterScale());
    240     auto imageData = Uint8ClampedArray::createUninitialized(scaledSize.width() * scaledSize.height() * 4);
     240    auto imageData = Uint8ClampedArray::createUninitialized((scaledSize.area() * 4).unsafeGet());
    241241    copyUnmultipliedImage(imageData.get(), rect);
    242242    return WTFMove(imageData);
     
    248248    ASSERT(!ImageBuffer::sizeNeedsClamping(scaledSize));
    249249    scaledSize.scale(m_filter.filterScale());
    250     auto imageData = Uint8ClampedArray::createUninitialized(scaledSize.width() * scaledSize.height() * 4);
     250    auto imageData = Uint8ClampedArray::createUninitialized((scaledSize.area() * 4).unsafeGet());
    251251    copyPremultipliedImage(imageData.get(), rect);
    252252    return WTFMove(imageData);
     
    317317            ASSERT(!ImageBuffer::sizeNeedsClamping(inputSize));
    318318            inputSize.scale(m_filter.filterScale());
    319             m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized(inputSize.width() * inputSize.height() * 4);
     319            m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized((inputSize.area() * 4).unsafeGet());
    320320            if (!m_unmultipliedImageResult) {
    321321                WTFLogAlways("FilterEffect::copyUnmultipliedImage Unable to create buffer. Requested size was %d x %d\n", inputSize.width(), inputSize.height());
     
    324324            unsigned char* sourceComponent = m_premultipliedImageResult->data();
    325325            unsigned char* destinationComponent = m_unmultipliedImageResult->data();
    326             unsigned char* end = sourceComponent + (inputSize.width() * inputSize.height() * 4);
     326            unsigned char* end = sourceComponent + (inputSize.area() * 4).unsafeGet();
    327327            while (sourceComponent < end) {
    328328                int alpha = sourceComponent[3];
     
    357357            ASSERT(!ImageBuffer::sizeNeedsClamping(inputSize));
    358358            inputSize.scale(m_filter.filterScale());
    359             m_premultipliedImageResult = Uint8ClampedArray::createUninitialized(inputSize.width() * inputSize.height() * 4);
     359            m_premultipliedImageResult = Uint8ClampedArray::createUninitialized((inputSize.area() * 4).unsafeGet());
    360360            if (!m_premultipliedImageResult) {
    361361                WTFLogAlways("FilterEffect::copyPremultipliedImage Unable to create buffer. Requested size was %d x %d\n", inputSize.width(), inputSize.height());
     
    364364            unsigned char* sourceComponent = m_unmultipliedImageResult->data();
    365365            unsigned char* destinationComponent = m_premultipliedImageResult->data();
    366             unsigned char* end = sourceComponent + (inputSize.width() * inputSize.height() * 4);
     366            unsigned char* end = sourceComponent + (inputSize.area() * 4).unsafeGet();
    367367            while (sourceComponent < end) {
    368368                int alpha = sourceComponent[3];
     
    404404    ASSERT(!ImageBuffer::sizeNeedsClamping(resultSize));
    405405    resultSize.scale(m_filter.filterScale());
    406     m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized(resultSize.width() * resultSize.height() * 4);
     406    m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized((resultSize.area() * 4).unsafeGet());
    407407    return m_unmultipliedImageResult.get();
    408408}
     
    418418    ASSERT(!ImageBuffer::sizeNeedsClamping(resultSize));
    419419    resultSize.scale(m_filter.filterScale());
    420     m_premultipliedImageResult = Uint8ClampedArray::createUninitialized(resultSize.width() * resultSize.height() * 4);
     420    m_premultipliedImageResult = Uint8ClampedArray::createUninitialized((resultSize.area() * 4).unsafeGet());
    421421    return m_premultipliedImageResult.get();
    422422}
  • trunk/Source/WebCore/platform/graphics/win/ImageBufferDataDirect2D.cpp

    r207591 r207708  
    4646    auto platformContext = context->platformContext();
    4747
    48     Checked<unsigned, RecordOverflow> area = 4 * rect.area();
    49     if (area.hasOverflowed())
     48    auto numBytes = rect.area<RecordOverflow>() * 4;
     49    if (numBytes.hasOverflowed())
    5050        return nullptr;
    5151
    52     auto result = Uint8ClampedArray::createUninitialized(area.unsafeGet());
     52    auto result = Uint8ClampedArray::createUninitialized(numBytes.unsafeGet());
    5353    unsigned char* resultData = result ? result->data() : nullptr;
    5454    if (!resultData)
     
    8585        return nullptr;
    8686
    87     memcpy(result->data(), pixels, 4 * rect.area());
     87    memcpy(result->data(), pixels, numBytes.unsafeGet());
    8888
    8989    return result;
  • trunk/Source/WebCore/platform/graphics/win/ImageDecoderDirect2D.cpp

    r207365 r207708  
    173173
    174174    auto frameSize = frameSizeAtIndex(index, subsamplingLevel);
    175     return frameSize.area() * 4;
     175    return (frameSize.area() * 4).unsafeGet();
    176176}
    177177
  • trunk/Source/WebCore/platform/image-decoders/ImageDecoder.cpp

    r207182 r207708  
    189189        return 0;
    190190    // FIXME: Use the dimension of the requested frame.
    191     return m_size.area() * sizeof(RGBA32);
     191    return (m_size.area() * sizeof(RGBA32)).unsafeGet();
    192192}
    193193
  • trunk/Source/WebCore/platform/ios/LegacyTileLayerPool.mm

    r188594 r207708  
    5656unsigned LegacyTileLayerPool::bytesBackingLayerWithPixelSize(const IntSize& size)
    5757{
    58     return size.width() * size.height() * 4;
     58    return (size.area() * 4).unsafeGet();
    5959}
    6060
  • trunk/Source/WebCore/rendering/RenderLayerCompositor.cpp

    r207458 r207708  
    25452545#else
    25462546        HTMLCanvasElement* canvas = downcast<HTMLCanvasElement>(renderer.element());
    2547         bool isCanvasLargeEnoughToForceCompositing = canvas->size().area() >= canvasAreaThresholdRequiringCompositing;
     2547        bool isCanvasLargeEnoughToForceCompositing = canvas->size().area().unsafeGet() >= canvasAreaThresholdRequiringCompositing;
    25482548#endif
    25492549        CanvasCompositingStrategy compositingStrategy = canvasCompositingStrategy(renderer);
  • trunk/Source/WebCore/rendering/shapes/Shape.cpp

    r201113 r207708  
    197197        int maxBufferY = std::min(imageRect.height(), marginRect.maxY() - imageRect.y());
    198198
    199         if (static_cast<unsigned>(imageRect.width() * imageRect.height() * 4) == pixelArrayLength) {
     199        if ((imageRect.area() * 4).unsafeGet() == pixelArrayLength) {
    200200            for (int y = minBufferY; y < maxBufferY; ++y) {
    201201                int startX = -1;
  • trunk/Source/WebKit2/ChangeLog

    r207706 r207708  
     12016-10-21  David Kilzer  <ddkilzer@apple.com>
     2
     3        Bug 163762: IntSize::area() should used checked arithmetic
     4        <https://webkit.org/b/163762>
     5
     6        Reviewed by Darin Adler.
     7
     8        * Shared/ShareableBitmap.cpp:
     9        (WebKit::ShareableBitmap::create): Add overflow check and return
     10        nullptr on overflow.
     11        (WebKit::ShareableBitmap::createShareable): Ditto.
     12        (WebKit::ShareableBitmap::create): Change debug assert for
     13        adequate buffer size check into release check.
     14        * Shared/ShareableBitmap.h:
     15        (WebKit::ShareableBitmap::numBytesForSize): Change to return a
     16        Checked<unsigned, RecordOverflow> value.
     17        (WebKit::ShareableBitmap::sizeInBytes):
     18        * Shared/cairo/ShareableBitmapCairo.cpp:
     19        (WebKit::ShareableBitmap::numBytesForSize): Ditto.
     20        * UIProcess/API/Cocoa/WKWebView.mm:
     21        (-[WKWebView _takeViewSnapshot]): Call unsafeGet().
     22
    1232016-10-21  Eric Carlson  <eric.carlson@apple.com>
    224
  • trunk/Source/WebKit2/Shared/ShareableBitmap.cpp

    r204668 r207708  
    6767RefPtr<ShareableBitmap> ShareableBitmap::create(const IntSize& size, Flags flags)
    6868{
    69     size_t numBytes = numBytesForSize(size);
    70    
     69    auto numBytes = numBytesForSize(size);
     70    if (numBytes.hasOverflowed())
     71        return nullptr;
     72
    7173    void* data = 0;
    72     if (!tryFastMalloc(numBytes).getValue(data))
     74    if (!tryFastMalloc(numBytes.unsafeGet()).getValue(data))
    7375        return nullptr;
    7476
     
    7880RefPtr<ShareableBitmap> ShareableBitmap::createShareable(const IntSize& size, Flags flags)
    7981{
    80     size_t numBytes = numBytesForSize(size);
     82    auto numBytes = numBytesForSize(size);
     83    if (numBytes.hasOverflowed())
     84        return nullptr;
    8185
    82     RefPtr<SharedMemory> sharedMemory = SharedMemory::allocate(numBytes);
     86    RefPtr<SharedMemory> sharedMemory = SharedMemory::allocate(numBytes.unsafeGet());
    8387    if (!sharedMemory)
    8488        return nullptr;
     
    9195    ASSERT(sharedMemory);
    9296
    93     size_t numBytes = numBytesForSize(size);
    94     ASSERT_UNUSED(numBytes, sharedMemory->size() >= numBytes);
    95    
     97    auto numBytes = numBytesForSize(size);
     98    if (numBytes.hasOverflowed())
     99        return nullptr;
     100    if (sharedMemory->size() < numBytes.unsafeGet()) {
     101        ASSERT_NOT_REACHED();
     102        return nullptr;
     103    }
     104
    96105    return adoptRef(new ShareableBitmap(size, flags, sharedMemory));
    97106}
  • trunk/Source/WebKit2/Shared/ShareableBitmap.h

    r204668 r207708  
    126126
    127127#if USE(CAIRO)
    128     static size_t numBytesForSize(const WebCore::IntSize&);
     128    static Checked<unsigned, RecordOverflow> numBytesForSize(const WebCore::IntSize&);
    129129#else
    130     static size_t numBytesForSize(const WebCore::IntSize& size) { return size.width() * size.height() * 4; }
     130    static Checked<unsigned, RecordOverflow> numBytesForSize(const WebCore::IntSize& size) { return size.area<RecordOverflow>() * 4; }
    131131#endif
    132132
     
    142142
    143143    void* data() const;
    144     size_t sizeInBytes() const { return numBytesForSize(m_size); }
     144    size_t sizeInBytes() const { return numBytesForSize(m_size).unsafeGet(); }
    145145
    146146    WebCore::IntSize m_size;
  • trunk/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp

    r198655 r207708  
    4141static const cairo_format_t cairoFormat = CAIRO_FORMAT_ARGB32;
    4242
    43 size_t ShareableBitmap::numBytesForSize(const WebCore::IntSize& size)
     43Checked<unsigned, RecordOverflow> ShareableBitmap::numBytesForSize(const WebCore::IntSize& size)
    4444{
    45     return cairo_format_stride_for_width(cairoFormat, size.width()) * size.height();
     45    return Checked<unsigned, RecordOverflow>(cairo_format_stride_for_width(cairoFormat, size.width())) * size.height();
    4646}
    4747
  • trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm

    r207512 r207708  
    14141414    CARenderServerCaptureLayerWithTransform(MACH_PORT_NULL, self.layer.context.contextId, (uint64_t)self.layer, slotID, 0, 0, &transform);
    14151415    WebCore::IntSize imageSize = WebCore::expandedIntSize(WebCore::FloatSize(snapshotSize));
    1416     return WebKit::ViewSnapshot::create(slotID, imageSize, imageSize.width() * imageSize.height() * 4);
     1416    return WebKit::ViewSnapshot::create(slotID, imageSize, (imageSize.area() * 4).unsafeGet());
    14171417#endif
    14181418}
  • trunk/Tools/ChangeLog

    r207707 r207708  
     12016-10-21  David Kilzer  <ddkilzer@apple.com>
     2
     3        Bug 163762: IntSize::area() should used checked arithmetic
     4        <https://webkit.org/b/163762>
     5
     6        Reviewed by Darin Adler.
     7
     8        * TestWebKitAPI/Tests/WebCore/IntRect.cpp:
     9        (TestWebKitAPI::TEST): Call unsafeGet().
     10        * TestWebKitAPI/Tests/WebCore/IntSize.cpp:
     11        (TestWebKitAPI::TEST): Ditto.
     12
    1132016-10-21  James Craig  <jcraig@apple.com>
    214
  • trunk/Tools/TestWebKitAPI/Tests/WebCore/IntRect.cpp

    r205871 r207708  
    610610    WebCore::IntRect rect(10, 20, 100, 100);
    611611
    612     EXPECT_EQ(10000U, rect.area());
    613 }
    614 
    615 }
     612    EXPECT_EQ(10000U, rect.area().unsafeGet());
     613}
     614
     615}
  • trunk/Tools/TestWebKitAPI/Tests/WebCore/IntSize.cpp

    r205871 r207708  
    9999
    100100    EXPECT_EQ(1638400, test.diagonalLengthSquared());
    101     EXPECT_EQ(786432U, test.area());
     101    EXPECT_EQ(786432U, test.area().unsafeGet());
    102102}
    103103
Note: See TracChangeset for help on using the changeset viewer.