2011-05-26 James Robinson <jamesr@chromium.org>

        Reviewed by Darin Fisher.

        [skia] Add area check to ImageBufferData::getImageData
        https://bugs.webkit.org/show_bug.cgi?id=61375

        No change in behavior, just a sanity check.

        * platform/graphics/skia/ImageBufferSkia.cpp:
        (WebCore::getImageData):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@87439 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index c443ada..7a1f751 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2011-05-26  James Robinson  <jamesr@chromium.org>
+
+        Reviewed by Darin Fisher.
+
+        [skia] Add area check to ImageBufferData::getImageData
+        https://bugs.webkit.org/show_bug.cgi?id=61375
+
+        No change in behavior, just a sanity check.
+
+        * platform/graphics/skia/ImageBufferSkia.cpp:
+        (WebCore::getImageData):
+
 2011-05-26  Levi Weintraub  <leviw@chromium.org>
 
         Reviewed by Eric Seidel.

diff --git a/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp b/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp
index ceb839a..b9a8259 100644 (file)
--- a/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp
+++ b/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp
@@ -168,6 +168,10 @@ template <Multiply multiplied>
 PassRefPtr<ByteArray> getImageData(const IntRect& rect, SkDevice& srcDevice,
                                    const IntSize& size)
 {
+    float area = 4.0f * rect.width() * rect.height();
+    if (area > static_cast<float>(std::numeric_limits<int>::max()))
+        return 0;
+
     RefPtr<ByteArray> result = ByteArray::create(rect.width() * rect.height() * 4);
 
     SkBitmap::Config srcConfig = srcDevice.accessBitmap(false).config();