Bommels05/Mozilla
Bommels05/Mozilla
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

b=322215, fix up canvas drawWindow temporary sizing

Browse Source 
git-svn-id: svn://10.0.0.236/trunk@187029 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
vladimir%pobox.com 2006-01-05 22:59:56 +00:00
parent 589287b4b3
commit 00a55347d1
1 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp
View File

@ -1807,6 +1807,29 @@ nsCanvasRenderingContext2D::CairoSurfaceFromElement(nsIDOMElement *imgElt,
return NS_OK;
}
static PRBool
CheckSaneImageSize (PRInt32 width, PRInt32 height)
{
if (width <= 0 || height <= 0)
return PR_FALSE;
/* check to make sure we don't overflow a 32-bit */
PRInt32 tmp = width * height;
if (tmp / height != width)
return PR_FALSE;
tmp = tmp * 4;
if (tmp / 4 != width * height)
return PR_FALSE;
/* reject over-wide or over-tall images */
const PRInt32 k64KLimit = 0x0000FFFF;
if (width > k64KLimit || height > k64KLimit)
return PR_FALSE;
return PR_TRUE;
}
NS_IMETHODIMP
nsCanvasRenderingContext2D::DrawWindow(nsIDOMWindow* aWindow, PRInt32 aX, PRInt32 aY,
PRInt32 aW, PRInt32 aH,
@ -1814,6 +1837,11 @@ nsCanvasRenderingContext2D::DrawWindow(nsIDOMWindow* aWindow, PRInt32 aX, PRInt3
{
NS_ENSURE_ARG(aWindow != nsnull);
// protect against too-large surfaces that will cause allocation
// or overflow issues
if (!CheckSaneImageSize (aW, aH))
return NS_ERROR_FAILURE;
// We can't allow web apps to call this until we fix at least the
// following potential security issues:
// -- rendering cross-domain IFRAMEs and then extracting the results
@ -1921,7 +1949,12 @@ nsCanvasRenderingContext2D::DrawNativeSurfaces(nsIDrawingSurface* aBlackSurface,
NS_ERROR("Must have image frame already");
return NS_ERROR_FAILURE;
}
// check if the dimensions are too large;
// if they are, we may easily overflow malloc later on
if (!CheckSaneImageSize (aSurfaceSize.width, aSurfaceSize.height))
return NS_ERROR_FAILURE;
// Acquire alpha values
nsAutoArrayPtr<PRUint8> alphas;
nsresult rv;