From 76cb4247d3c393d6efe9c57fbd4c993b94baa2f4 Mon Sep 17 00:00:00 2001
From: Kartikaya Gupta <kgupta@mozilla.com>
Date: Tue, 13 Nov 2018 10:39:27 +0000
Subject: [PATCH] Bug 1466613 - Prevent creation of DynamicImage instances that
 are excessively large. r=mstange

Differential Revision: https://phabricator.services.mozilla.com/D11528

--HG--
extra : moz-landing-system : lando
---
 layout/painting/nsImageRenderer.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/layout/painting/nsImageRenderer.cpp b/layout/painting/nsImageRenderer.cpp
index 785767ab55de..eec6c3a77481 100644
--- a/layout/painting/nsImageRenderer.cpp
+++ b/layout/painting/nsImageRenderer.cpp
@@ -732,8 +732,13 @@ nsImageRenderer::DrawableForElement(const nsRect& aImageRect,
     nsRect destRect = aImageRect - aImageRect.TopLeft();
     nsIntSize roundedOut = destRect.ToOutsidePixels(appUnitsPerDevPixel).Size();
     IntSize imageSize(roundedOut.width, roundedOut.height);
-    RefPtr<gfxDrawable> drawable =
-      nsSVGIntegrationUtils::DrawableFromPaintServer(
+
+    RefPtr<gfxDrawable> drawable;
+
+    SurfaceFormat format = aContext.GetDrawTarget()->GetFormat();
+    // Don't allow creating images that are too big
+    if (aContext.GetDrawTarget()->CanCreateSimilarDrawTarget(imageSize, format)) {
+      drawable = nsSVGIntegrationUtils::DrawableFromPaintServer(
         mPaintServerFrame,
         mForFrame,
         mSize,
@@ -741,6 +746,7 @@ nsImageRenderer::DrawableForElement(const nsRect& aImageRect,
         aContext.GetDrawTarget(),
         aContext.CurrentMatrixDouble(),
         nsSVGIntegrationUtils::FLAG_SYNC_DECODE_IMAGES);
+    }
 
     return drawable.forget();
   }