From 00a55347d115ca4049a3ba63d7cd40e2db74c512 Mon Sep 17 00:00:00 2001
From: "vladimir%pobox.com"
 <vladimir%pobox.com@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Thu, 5 Jan 2006 22:59:56 +0000
Subject: [PATCH] b=322215, fix up canvas drawWindow temporary sizing

git-svn-id: svn://10.0.0.236/trunk@187029 18797224-902f-48f8-a5cc-f745e15eee43
---
 .../canvas/src/nsCanvasRenderingContext2D.cpp | 35 ++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp b/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp
index c87c348e57f..7b8a6a8caaa 100644
--- a/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp
+++ b/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp
@@ -1807,6 +1807,29 @@ nsCanvasRenderingContext2D::CairoSurfaceFromElement(nsIDOMElement *imgElt,
     return NS_OK;
 }
 
+static PRBool
+CheckSaneImageSize (PRInt32 width, PRInt32 height)
+{
+    if (width <= 0 || height <= 0)
+        return PR_FALSE;
+
+    /* check to make sure we don't overflow a 32-bit */
+    PRInt32 tmp = width * height;
+    if (tmp / height != width)
+        return PR_FALSE;
+
+    tmp = tmp * 4;
+    if (tmp / 4 != width * height)
+        return PR_FALSE;
+
+    /* reject over-wide or over-tall images */
+    const PRInt32 k64KLimit = 0x0000FFFF;
+    if (width > k64KLimit || height > k64KLimit)
+        return PR_FALSE;
+
+    return PR_TRUE;
+}
+
 NS_IMETHODIMP
 nsCanvasRenderingContext2D::DrawWindow(nsIDOMWindow* aWindow, PRInt32 aX, PRInt32 aY,
                                        PRInt32 aW, PRInt32 aH, 
@@ -1814,6 +1837,11 @@ nsCanvasRenderingContext2D::DrawWindow(nsIDOMWindow* aWindow, PRInt32 aX, PRInt3
 {
     NS_ENSURE_ARG(aWindow != nsnull);
 
+    // protect against too-large surfaces that will cause allocation
+    // or overflow issues
+    if (!CheckSaneImageSize (aW, aH))
+        return NS_ERROR_FAILURE;
+
     // We can't allow web apps to call this until we fix at least the
     // following potential security issues:
     // -- rendering cross-domain IFRAMEs and then extracting the results
@@ -1921,7 +1949,12 @@ nsCanvasRenderingContext2D::DrawNativeSurfaces(nsIDrawingSurface* aBlackSurface,
         NS_ERROR("Must have image frame already");
         return NS_ERROR_FAILURE;
     }
-    
+
+    // check if the dimensions are too large;
+    // if they are, we may easily overflow malloc later on
+    if (!CheckSaneImageSize (aSurfaceSize.width, aSurfaceSize.height))
+        return NS_ERROR_FAILURE;
+
     // Acquire alpha values
     nsAutoArrayPtr<PRUint8> alphas;
     nsresult rv;