blob: 1420be2a0affd01eb4a54471df1638c390c6fc91 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
description: fix cve-2010-2900
author: Michael Gilbert <michael.s.gilbert@gmail.com>
origin: http://trac.webkit.org/changeset/63219
Index: webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/html/HTMLCanvasElement.cpp 2010-09-06 22:28:56.000000000 -0400
+++ webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp 2010-09-06 22:29:28.000000000 -0400
@@ -64,6 +64,9 @@
// in exchange for a smaller maximum canvas size.
const float HTMLCanvasElement::MaxCanvasArea = 32768 * 8192; // Maximum canvas area in CSS pixels
+//In Skia, we will also limit width/height to 32767.
+static const float MaxSkiaDim = 32767.0F; // Maximum width/height in CSS pixels.
+
HTMLCanvasElement::HTMLCanvasElement(const QualifiedName& tagName, Document* doc)
: HTMLElement(tagName, doc)
, m_size(defaultWidth, defaultHeight)
@@ -293,6 +296,11 @@
if (!(wf >= 1 && hf >= 1 && wf * hf <= MaxCanvasArea))
return IntSize();
+#if PLATFORM(SKIA)
+ if (wf > MaxSkiaDim || hf > MaxSkiaDim)
+ return IntSize();
+#endif
+
return IntSize(static_cast<unsigned>(wf), static_cast<unsigned>(hf));
}
|