description: fix cve-2010-2900
author: Michael Gilbert <michael.s.gilbert@gmail.com>
origin: http://trac.webkit.org/changeset/63219
Index: webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/html/HTMLCanvasElement.cpp	2010-09-06 22:28:56.000000000 -0400
+++ webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp	2010-09-06 22:29:28.000000000 -0400
@@ -64,6 +64,9 @@
 // in exchange for a smaller maximum canvas size.
 const float HTMLCanvasElement::MaxCanvasArea = 32768 * 8192; // Maximum canvas area in CSS pixels
 
+//In Skia, we will also limit width/height to 32767.
+static const float MaxSkiaDim = 32767.0F; // Maximum width/height in CSS pixels.
+
 HTMLCanvasElement::HTMLCanvasElement(const QualifiedName& tagName, Document* doc)
     : HTMLElement(tagName, doc)
     , m_size(defaultWidth, defaultHeight)
@@ -293,6 +296,11 @@
     if (!(wf >= 1 && hf >= 1 && wf * hf <= MaxCanvasArea))
         return IntSize();
 
+#if PLATFORM(SKIA)
+    if (wf > MaxSkiaDim || hf > MaxSkiaDim)
+        return IntSize();
+#endif
+
     return IntSize(static_cast<unsigned>(wf), static_cast<unsigned>(hf));
 }