Changeset 207708 in webkit
- Timestamp:
- Oct 21, 2016 11:38:36 PM (7 years ago)
- Location:
- trunk
- Files:
-
- 27 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r207706 r207708 1 2016-10-21 David Kilzer <ddkilzer@apple.com> 2 3 Bug 163762: IntSize::area() should used checked arithmetic 4 <https://webkit.org/b/163762> 5 6 Reviewed by Darin Adler. 7 8 No new tests since no change in nominal behavior. 9 10 * platform/graphics/IntSize.h: 11 (WebCore::IntSize::area): Change to return a 12 Checked<unsigned, T> value. Use WTF:: namespace to avoid 13 including another header. 14 15 * platform/graphics/IntRect.h: 16 (WebCore::IntRect::area): Ditto. 17 18 The remaining changes are to use the Checked<unsigned> return 19 value of IntSize::area() and IntRect::area() correctly in 20 context, in addition to items noted below. 21 22 * html/HTMLPlugInImageElement.cpp: 23 (WebCore::HTMLPlugInImageElement::isTopLevelFullPagePlugin): 24 Declare contentWidth and contentHeight as float values to 25 prevent overflow when computing the area, and to make the 26 inequality comparison in the return statement uses the same type 27 for both sides. 28 * html/ImageData.cpp: 29 (WebCore::ImageData::ImageData): 30 * html/MediaElementSession.cpp: 31 (WebCore::isElementRectMostlyInMainFrame): 32 * platform/graphics/ImageBackingStore.h: 33 (WebCore::ImageBackingStore::setSize): Restructure logic to 34 compute area only once. 35 (WebCore::ImageBackingStore::clear): 36 * platform/graphics/ImageFrame.h: 37 (WebCore::ImageFrame::frameBytes): 38 * platform/graphics/ImageSource.cpp: 39 (WebCore::ImageSource::maximumSubsamplingLevel): 40 * platform/graphics/ca/LayerPool.cpp: 41 (WebCore::LayerPool::backingStoreBytesForSize): 42 * platform/graphics/cg/ImageDecoderCG.cpp: 43 (WebCore::ImageDecoder::frameBytesAtIndex): 44 * platform/graphics/filters/FEGaussianBlur.cpp: 45 (WebCore::FEGaussianBlur::platformApplySoftware): 46 * platform/graphics/filters/FilterEffect.cpp: 47 (WebCore::FilterEffect::asUnmultipliedImage): 48 (WebCore::FilterEffect::asPremultipliedImage): 49 (WebCore::FilterEffect::copyUnmultipliedImage): 50 (WebCore::FilterEffect::copyPremultipliedImage): 51 (WebCore::FilterEffect::createUnmultipliedImageResult): 52 (WebCore::FilterEffect::createPremultipliedImageResult): 53 * platform/graphics/win/ImageBufferDataDirect2D.cpp: 54 (WebCore::ImageBufferData::getData): Update overflow check, 55 rename local variable to numBytes, and compute numBytes once. 56 * platform/graphics/win/ImageDecoderDirect2D.cpp: 57 (WebCore::ImageDecoder::frameBytesAtIndex): 58 * platform/image-decoders/ImageDecoder.cpp: 59 (WebCore::ImageDecoder::frameBytesAtIndex): 60 * platform/ios/LegacyTileLayerPool.mm: 61 (WebCore::LegacyTileLayerPool::bytesBackingLayerWithPixelSize): 62 * rendering/RenderLayerCompositor.cpp: 63 (WebCore::RenderLayerCompositor::requiresCompositingForCanvas): 64 * rendering/shapes/Shape.cpp: 65 (WebCore::Shape::createRasterShape): 66 1 67 2016-10-21 Gavin Barraclough <barraclough@apple.com> 2 68 -
trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp
r207458 r207708 590 590 IntSize visibleSize = frame.view()->visibleSize(); 591 591 LayoutRect contentRect = renderer.contentBoxRect(); 592 int contentWidth = contentRect.width();593 int contentHeight = contentRect.height();594 return is100Percent(style.width()) && is100Percent(style.height()) && contentWidth * contentHeight > visibleSize.area() * sizingFullPageAreaRatioThreshold;592 float contentWidth = contentRect.width(); 593 float contentHeight = contentRect.height(); 594 return is100Percent(style.width()) && is100Percent(style.height()) && contentWidth * contentHeight > visibleSize.area().unsafeGet() * sizingFullPageAreaRatioThreshold; 595 595 } 596 596 -
trunk/Source/WebCore/html/ImageData.cpp
r207560 r207708 114 114 ImageData::ImageData(const IntSize& size) 115 115 : m_size(size) 116 , m_data(Uint8ClampedArray::createUninitialized( size.area() * 4))116 , m_data(Uint8ClampedArray::createUninitialized((size.area() * 4).unsafeGet())) 117 117 { 118 118 ASSERT(m_data); … … 124 124 { 125 125 ASSERT(m_data); 126 ASSERT_WITH_SECURITY_IMPLICATION(!m_data || (size.area() * 4) <= m_data->length());126 ASSERT_WITH_SECURITY_IMPLICATION(!m_data || (size.area() * 4).unsafeGet() <= m_data->length()); 127 127 } 128 128 -
trunk/Source/WebCore/html/MediaElementSession.cpp
r207220 r207708 676 676 IntRect mainFrameRectAdjustedForScrollPosition = IntRect(-mainFrameView->documentScrollPositionRelativeToViewOrigin(), mainFrameView->contentsSize()); 677 677 IntRect elementRectInMainFrame = element.clientRect(); 678 unsigned int totalElementArea = elementRectInMainFrame.area();678 unsigned totalElementArea = elementRectInMainFrame.area().unsafeGet(); 679 679 elementRectInMainFrame.intersect(mainFrameRectAdjustedForScrollPosition); 680 680 681 return elementRectInMainFrame.area() > totalElementArea / 2;681 return elementRectInMainFrame.area().unsafeGet() > totalElementArea / 2; 682 682 } 683 683 -
trunk/Source/WebCore/platform/graphics/ImageBackingStore.h
r206156 r207708 52 52 bool setSize(const IntSize& size) 53 53 { 54 if (size.isEmpty() || !m_pixels.tryReserveCapacity(size.area()))54 if (size.isEmpty()) 55 55 return false; 56 56 57 m_pixels.resize(size.area()); 57 unsigned area = size.area().unsafeGet(); 58 if (!m_pixels.tryReserveCapacity(area)) 59 return false; 60 61 m_pixels.resize(area); 58 62 m_pixelsPtr = m_pixels.data(); 59 63 m_size = size; … … 75 79 void clear() 76 80 { 77 memset(m_pixelsPtr, 0, m_size.area() * sizeof(RGBA32));81 memset(m_pixelsPtr, 0, (m_size.area() * sizeof(RGBA32)).unsafeGet()); 78 82 } 79 83 -
trunk/Source/WebCore/platform/graphics/ImageFrame.h
r207182 r207708 110 110 IntSize size() const; 111 111 IntSize sizeRespectingOrientation() const { return !m_orientation.usesWidthAsHeight() ? size() : size().transposedSize(); } 112 unsigned frameBytes() const { return hasNativeImage() ? size().area() * sizeof(RGBA32) : 0; }112 unsigned frameBytes() const { return hasNativeImage() ? (size().area() * sizeof(RGBA32)).unsafeGet() : 0; } 113 113 SubsamplingLevel subsamplingLevel() const { return m_subsamplingLevel; } 114 114 -
trunk/Source/WebCore/platform/graphics/ImageSource.cpp
r207357 r207708 191 191 192 192 for (; level < SubsamplingLevel::Last; ++level) { 193 if (frameSizeAtIndex(0, level).area() < maximumImageAreaBeforeSubsampling)193 if (frameSizeAtIndex(0, level).area().unsafeGet() < maximumImageAreaBeforeSubsampling) 194 194 break; 195 195 } -
trunk/Source/WebCore/platform/graphics/IntRect.h
r205881 r207708 92 92 int width() const { return m_size.width(); } 93 93 int height() const { return m_size.height(); } 94 95 unsigned area() const { return m_size.area(); } 94 95 template <typename T = WTF::CrashOnOverflow> 96 Checked<unsigned, T> area() const { return m_size.area<T>(); } 96 97 97 98 void setX(int x) { m_location.setX(x); } -
trunk/Source/WebCore/platform/graphics/IntSize.h
r206635 r207708 132 132 WEBCORE_EXPORT IntSize constrainedBetween(const IntSize& min, const IntSize& max) const; 133 133 134 unsigned area() const 135 { 136 return abs(m_width) * abs(m_height); 134 template <typename T = WTF::CrashOnOverflow> 135 Checked<unsigned, T> area() const 136 { 137 return Checked<unsigned, T>(abs(m_width)) * abs(m_height); 137 138 } 138 139 -
trunk/Source/WebCore/platform/graphics/ca/LayerPool.cpp
r176459 r207708 57 57 unsigned LayerPool::backingStoreBytesForSize(const IntSize& size) 58 58 { 59 return size.width() * size.height() * 4;59 return (size.area() * 4).unsafeGet(); 60 60 } 61 61 -
trunk/Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp
r207216 r207708 337 337 { 338 338 IntSize frameSize = frameSizeAtIndex(index, subsamplingLevel); 339 return frameSize.area() * 4;339 return (frameSize.area() * 4).unsafeGet(); 340 340 } 341 341 -
trunk/Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp
r202887 r207708 540 540 IntSize paintSize = absolutePaintRect().size(); 541 541 paintSize.scale(filter().filterScale()); 542 RefPtr<Uint8ClampedArray> tmpImageData = Uint8ClampedArray::createUninitialized( paintSize.width() * paintSize.height() * 4);542 RefPtr<Uint8ClampedArray> tmpImageData = Uint8ClampedArray::createUninitialized((paintSize.area() * 4).unsafeGet()); 543 543 if (!tmpImageData) { 544 544 WTFLogAlways("FEGaussianBlur::platformApplySoftware Unable to create buffer. Requested size was %d x %d\n", paintSize.width(), paintSize.height()); -
trunk/Source/WebCore/platform/graphics/filters/FilterEffect.cpp
r202887 r207708 238 238 ASSERT(!ImageBuffer::sizeNeedsClamping(scaledSize)); 239 239 scaledSize.scale(m_filter.filterScale()); 240 auto imageData = Uint8ClampedArray::createUninitialized( scaledSize.width() * scaledSize.height() * 4);240 auto imageData = Uint8ClampedArray::createUninitialized((scaledSize.area() * 4).unsafeGet()); 241 241 copyUnmultipliedImage(imageData.get(), rect); 242 242 return WTFMove(imageData); … … 248 248 ASSERT(!ImageBuffer::sizeNeedsClamping(scaledSize)); 249 249 scaledSize.scale(m_filter.filterScale()); 250 auto imageData = Uint8ClampedArray::createUninitialized( scaledSize.width() * scaledSize.height() * 4);250 auto imageData = Uint8ClampedArray::createUninitialized((scaledSize.area() * 4).unsafeGet()); 251 251 copyPremultipliedImage(imageData.get(), rect); 252 252 return WTFMove(imageData); … … 317 317 ASSERT(!ImageBuffer::sizeNeedsClamping(inputSize)); 318 318 inputSize.scale(m_filter.filterScale()); 319 m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized( inputSize.width() * inputSize.height() * 4);319 m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized((inputSize.area() * 4).unsafeGet()); 320 320 if (!m_unmultipliedImageResult) { 321 321 WTFLogAlways("FilterEffect::copyUnmultipliedImage Unable to create buffer. Requested size was %d x %d\n", inputSize.width(), inputSize.height()); … … 324 324 unsigned char* sourceComponent = m_premultipliedImageResult->data(); 325 325 unsigned char* destinationComponent = m_unmultipliedImageResult->data(); 326 unsigned char* end = sourceComponent + (inputSize. width() * inputSize.height() * 4);326 unsigned char* end = sourceComponent + (inputSize.area() * 4).unsafeGet(); 327 327 while (sourceComponent < end) { 328 328 int alpha = sourceComponent[3]; … … 357 357 ASSERT(!ImageBuffer::sizeNeedsClamping(inputSize)); 358 358 inputSize.scale(m_filter.filterScale()); 359 m_premultipliedImageResult = Uint8ClampedArray::createUninitialized( inputSize.width() * inputSize.height() * 4);359 m_premultipliedImageResult = Uint8ClampedArray::createUninitialized((inputSize.area() * 4).unsafeGet()); 360 360 if (!m_premultipliedImageResult) { 361 361 WTFLogAlways("FilterEffect::copyPremultipliedImage Unable to create buffer. Requested size was %d x %d\n", inputSize.width(), inputSize.height()); … … 364 364 unsigned char* sourceComponent = m_unmultipliedImageResult->data(); 365 365 unsigned char* destinationComponent = m_premultipliedImageResult->data(); 366 unsigned char* end = sourceComponent + (inputSize. width() * inputSize.height() * 4);366 unsigned char* end = sourceComponent + (inputSize.area() * 4).unsafeGet(); 367 367 while (sourceComponent < end) { 368 368 int alpha = sourceComponent[3]; … … 404 404 ASSERT(!ImageBuffer::sizeNeedsClamping(resultSize)); 405 405 resultSize.scale(m_filter.filterScale()); 406 m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized( resultSize.width() * resultSize.height() * 4);406 m_unmultipliedImageResult = Uint8ClampedArray::createUninitialized((resultSize.area() * 4).unsafeGet()); 407 407 return m_unmultipliedImageResult.get(); 408 408 } … … 418 418 ASSERT(!ImageBuffer::sizeNeedsClamping(resultSize)); 419 419 resultSize.scale(m_filter.filterScale()); 420 m_premultipliedImageResult = Uint8ClampedArray::createUninitialized( resultSize.width() * resultSize.height() * 4);420 m_premultipliedImageResult = Uint8ClampedArray::createUninitialized((resultSize.area() * 4).unsafeGet()); 421 421 return m_premultipliedImageResult.get(); 422 422 } -
trunk/Source/WebCore/platform/graphics/win/ImageBufferDataDirect2D.cpp
r207591 r207708 46 46 auto platformContext = context->platformContext(); 47 47 48 Checked<unsigned, RecordOverflow> area = 4 * rect.area();49 if ( area.hasOverflowed())48 auto numBytes = rect.area<RecordOverflow>() * 4; 49 if (numBytes.hasOverflowed()) 50 50 return nullptr; 51 51 52 auto result = Uint8ClampedArray::createUninitialized( area.unsafeGet());52 auto result = Uint8ClampedArray::createUninitialized(numBytes.unsafeGet()); 53 53 unsigned char* resultData = result ? result->data() : nullptr; 54 54 if (!resultData) … … 85 85 return nullptr; 86 86 87 memcpy(result->data(), pixels, 4 * rect.area());87 memcpy(result->data(), pixels, numBytes.unsafeGet()); 88 88 89 89 return result; -
trunk/Source/WebCore/platform/graphics/win/ImageDecoderDirect2D.cpp
r207365 r207708 173 173 174 174 auto frameSize = frameSizeAtIndex(index, subsamplingLevel); 175 return frameSize.area() * 4;175 return (frameSize.area() * 4).unsafeGet(); 176 176 } 177 177 -
trunk/Source/WebCore/platform/image-decoders/ImageDecoder.cpp
r207182 r207708 189 189 return 0; 190 190 // FIXME: Use the dimension of the requested frame. 191 return m_size.area() * sizeof(RGBA32);191 return (m_size.area() * sizeof(RGBA32)).unsafeGet(); 192 192 } 193 193 -
trunk/Source/WebCore/platform/ios/LegacyTileLayerPool.mm
r188594 r207708 56 56 unsigned LegacyTileLayerPool::bytesBackingLayerWithPixelSize(const IntSize& size) 57 57 { 58 return size.width() * size.height() * 4;58 return (size.area() * 4).unsafeGet(); 59 59 } 60 60 -
trunk/Source/WebCore/rendering/RenderLayerCompositor.cpp
r207458 r207708 2545 2545 #else 2546 2546 HTMLCanvasElement* canvas = downcast<HTMLCanvasElement>(renderer.element()); 2547 bool isCanvasLargeEnoughToForceCompositing = canvas->size().area() >= canvasAreaThresholdRequiringCompositing;2547 bool isCanvasLargeEnoughToForceCompositing = canvas->size().area().unsafeGet() >= canvasAreaThresholdRequiringCompositing; 2548 2548 #endif 2549 2549 CanvasCompositingStrategy compositingStrategy = canvasCompositingStrategy(renderer); -
trunk/Source/WebCore/rendering/shapes/Shape.cpp
r201113 r207708 197 197 int maxBufferY = std::min(imageRect.height(), marginRect.maxY() - imageRect.y()); 198 198 199 if ( static_cast<unsigned>(imageRect.width() * imageRect.height() * 4) == pixelArrayLength) {199 if ((imageRect.area() * 4).unsafeGet() == pixelArrayLength) { 200 200 for (int y = minBufferY; y < maxBufferY; ++y) { 201 201 int startX = -1; -
trunk/Source/WebKit2/ChangeLog
r207706 r207708 1 2016-10-21 David Kilzer <ddkilzer@apple.com> 2 3 Bug 163762: IntSize::area() should used checked arithmetic 4 <https://webkit.org/b/163762> 5 6 Reviewed by Darin Adler. 7 8 * Shared/ShareableBitmap.cpp: 9 (WebKit::ShareableBitmap::create): Add overflow check and return 10 nullptr on overflow. 11 (WebKit::ShareableBitmap::createShareable): Ditto. 12 (WebKit::ShareableBitmap::create): Change debug assert for 13 adequate buffer size check into release check. 14 * Shared/ShareableBitmap.h: 15 (WebKit::ShareableBitmap::numBytesForSize): Change to return a 16 Checked<unsigned, RecordOverflow> value. 17 (WebKit::ShareableBitmap::sizeInBytes): 18 * Shared/cairo/ShareableBitmapCairo.cpp: 19 (WebKit::ShareableBitmap::numBytesForSize): Ditto. 20 * UIProcess/API/Cocoa/WKWebView.mm: 21 (-[WKWebView _takeViewSnapshot]): Call unsafeGet(). 22 1 23 2016-10-21 Eric Carlson <eric.carlson@apple.com> 2 24 -
trunk/Source/WebKit2/Shared/ShareableBitmap.cpp
r204668 r207708 67 67 RefPtr<ShareableBitmap> ShareableBitmap::create(const IntSize& size, Flags flags) 68 68 { 69 size_t numBytes = numBytesForSize(size); 70 69 auto numBytes = numBytesForSize(size); 70 if (numBytes.hasOverflowed()) 71 return nullptr; 72 71 73 void* data = 0; 72 if (!tryFastMalloc(numBytes ).getValue(data))74 if (!tryFastMalloc(numBytes.unsafeGet()).getValue(data)) 73 75 return nullptr; 74 76 … … 78 80 RefPtr<ShareableBitmap> ShareableBitmap::createShareable(const IntSize& size, Flags flags) 79 81 { 80 size_t numBytes = numBytesForSize(size); 82 auto numBytes = numBytesForSize(size); 83 if (numBytes.hasOverflowed()) 84 return nullptr; 81 85 82 RefPtr<SharedMemory> sharedMemory = SharedMemory::allocate(numBytes );86 RefPtr<SharedMemory> sharedMemory = SharedMemory::allocate(numBytes.unsafeGet()); 83 87 if (!sharedMemory) 84 88 return nullptr; … … 91 95 ASSERT(sharedMemory); 92 96 93 size_t numBytes = numBytesForSize(size); 94 ASSERT_UNUSED(numBytes, sharedMemory->size() >= numBytes); 95 97 auto numBytes = numBytesForSize(size); 98 if (numBytes.hasOverflowed()) 99 return nullptr; 100 if (sharedMemory->size() < numBytes.unsafeGet()) { 101 ASSERT_NOT_REACHED(); 102 return nullptr; 103 } 104 96 105 return adoptRef(new ShareableBitmap(size, flags, sharedMemory)); 97 106 } -
trunk/Source/WebKit2/Shared/ShareableBitmap.h
r204668 r207708 126 126 127 127 #if USE(CAIRO) 128 static size_tnumBytesForSize(const WebCore::IntSize&);128 static Checked<unsigned, RecordOverflow> numBytesForSize(const WebCore::IntSize&); 129 129 #else 130 static size_t numBytesForSize(const WebCore::IntSize& size) { return size.width() * size.height() * 4; }130 static Checked<unsigned, RecordOverflow> numBytesForSize(const WebCore::IntSize& size) { return size.area<RecordOverflow>() * 4; } 131 131 #endif 132 132 … … 142 142 143 143 void* data() const; 144 size_t sizeInBytes() const { return numBytesForSize(m_size) ; }144 size_t sizeInBytes() const { return numBytesForSize(m_size).unsafeGet(); } 145 145 146 146 WebCore::IntSize m_size; -
trunk/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp
r198655 r207708 41 41 static const cairo_format_t cairoFormat = CAIRO_FORMAT_ARGB32; 42 42 43 size_tShareableBitmap::numBytesForSize(const WebCore::IntSize& size)43 Checked<unsigned, RecordOverflow> ShareableBitmap::numBytesForSize(const WebCore::IntSize& size) 44 44 { 45 return cairo_format_stride_for_width(cairoFormat, size.width()) * size.height();45 return Checked<unsigned, RecordOverflow>(cairo_format_stride_for_width(cairoFormat, size.width())) * size.height(); 46 46 } 47 47 -
trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm
r207512 r207708 1414 1414 CARenderServerCaptureLayerWithTransform(MACH_PORT_NULL, self.layer.context.contextId, (uint64_t)self.layer, slotID, 0, 0, &transform); 1415 1415 WebCore::IntSize imageSize = WebCore::expandedIntSize(WebCore::FloatSize(snapshotSize)); 1416 return WebKit::ViewSnapshot::create(slotID, imageSize, imageSize.width() * imageSize.height() * 4);1416 return WebKit::ViewSnapshot::create(slotID, imageSize, (imageSize.area() * 4).unsafeGet()); 1417 1417 #endif 1418 1418 } -
trunk/Tools/ChangeLog
r207707 r207708 1 2016-10-21 David Kilzer <ddkilzer@apple.com> 2 3 Bug 163762: IntSize::area() should used checked arithmetic 4 <https://webkit.org/b/163762> 5 6 Reviewed by Darin Adler. 7 8 * TestWebKitAPI/Tests/WebCore/IntRect.cpp: 9 (TestWebKitAPI::TEST): Call unsafeGet(). 10 * TestWebKitAPI/Tests/WebCore/IntSize.cpp: 11 (TestWebKitAPI::TEST): Ditto. 12 1 13 2016-10-21 James Craig <jcraig@apple.com> 2 14 -
trunk/Tools/TestWebKitAPI/Tests/WebCore/IntRect.cpp
r205871 r207708 610 610 WebCore::IntRect rect(10, 20, 100, 100); 611 611 612 EXPECT_EQ(10000U, rect.area() );613 } 614 615 } 612 EXPECT_EQ(10000U, rect.area().unsafeGet()); 613 } 614 615 } -
trunk/Tools/TestWebKitAPI/Tests/WebCore/IntSize.cpp
r205871 r207708 99 99 100 100 EXPECT_EQ(1638400, test.diagonalLengthSquared()); 101 EXPECT_EQ(786432U, test.area() );101 EXPECT_EQ(786432U, test.area().unsafeGet()); 102 102 } 103 103
Note: See TracChangeset
for help on using the changeset viewer.