From 89c5ff6db902ced00560c7e98f14fdcea0ebed00 Mon Sep 17 00:00:00 2001
From: Andrew Osmond <aosmond@mozilla.com>
Date: Thu, 11 Jan 2018 08:26:42 -0500
Subject: [PATCH] Bug 1429413 - Ensure Factory::CreateDataSourceSurface
 allocation failures are gracefully handled. r=bas

---
 dom/canvas/ImageBitmap.cpp         | 29 +++++++++++++++++------------
 gfx/2d/DrawTargetTiled.h           |  4 ++++
 gfx/2d/FilterProcessingSIMD-inl.h  |  6 +++++-
 gfx/layers/AsyncCanvasRenderer.cpp |  6 ++++++
 4 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/dom/canvas/ImageBitmap.cpp b/dom/canvas/ImageBitmap.cpp
index c86f8cd4bace..ca347a7fb1b1 100644
--- a/dom/canvas/ImageBitmap.cpp
+++ b/dom/canvas/ImageBitmap.cpp
@@ -225,28 +225,28 @@ CreateImageFromRawData(const gfx::IntSize& aSize,
   }
 
   // Convert RGBA to BGRA
-  DataSourceSurface::MappedSurface rgbaMap;
   RefPtr<DataSourceSurface> rgbaDataSurface = rgbaSurface->GetDataSurface();
-  if (NS_WARN_IF(!rgbaDataSurface->Map(DataSourceSurface::MapType::READ, &rgbaMap))) {
+  DataSourceSurface::ScopedMap rgbaMap(rgbaDataSurface, DataSourceSurface::READ);
+  if (NS_WARN_IF(!rgbaMap.IsMapped())) {
     return nullptr;
   }
 
   RefPtr<DataSourceSurface> bgraDataSurface =
     Factory::CreateDataSourceSurfaceWithStride(rgbaDataSurface->GetSize(),
                                                SurfaceFormat::B8G8R8A8,
-                                               rgbaMap.mStride);
-
-  DataSourceSurface::MappedSurface bgraMap;
-  if (NS_WARN_IF(!bgraDataSurface->Map(DataSourceSurface::MapType::WRITE, &bgraMap))) {
+                                               rgbaMap.GetStride());
+  if (NS_WARN_IF(!bgraDataSurface)) {
     return nullptr;
   }
 
-  SwizzleData(rgbaMap.mData, rgbaMap.mStride, SurfaceFormat::R8G8B8A8,
-              bgraMap.mData, bgraMap.mStride, SurfaceFormat::B8G8R8A8,
-              bgraDataSurface->GetSize());
+  DataSourceSurface::ScopedMap bgraMap(bgraDataSurface, DataSourceSurface::WRITE);
+  if (NS_WARN_IF(!bgraMap.IsMapped())) {
+    return nullptr;
+  }
 
-  rgbaDataSurface->Unmap();
-  bgraDataSurface->Unmap();
+  SwizzleData(rgbaMap.GetData(), rgbaMap.GetStride(), SurfaceFormat::R8G8B8A8,
+              bgraMap.GetData(), bgraMap.GetStride(), SurfaceFormat::B8G8R8A8,
+              bgraDataSurface->GetSize());
 
   // Create an Image from the BGRA SourceSurface.
   RefPtr<layers::Image> image = CreateImageFromSurface(bgraDataSurface);
@@ -481,6 +481,9 @@ ConvertColorFormatIfNeeded(RefPtr<SourceSurface> aSurface)
     Factory::CreateDataSourceSurfaceWithStride(dstSize,
                                                SurfaceFormat::B8G8R8A8,
                                                dstStride);
+  if (NS_WARN_IF(!dstDataSurface)) {
+    return nullptr;
+  }
 
   RefPtr<DataSourceSurface> srcDataSurface = aSurface->GetDataSurface();
   if (NS_WARN_IF(!srcDataSurface)) {
@@ -1429,7 +1432,9 @@ ImageBitmap::WriteStructuredClone(JSStructuredCloneWriter* aWriter,
                                                  map.GetStride(),
                                                  true);
   }
-  MOZ_ASSERT(dstDataSurface);
+  if (NS_WARN_IF(!dstDataSurface)) {
+    return false;
+  }
   Factory::CopyDataSourceSurface(snapshot, dstDataSurface);
   aClonedSurfaces.AppendElement(dstDataSurface);
   return true;
diff --git a/gfx/2d/DrawTargetTiled.h b/gfx/2d/DrawTargetTiled.h
index cfdd3fbbc9d2..2ef4dbf16350 100644
--- a/gfx/2d/DrawTargetTiled.h
+++ b/gfx/2d/DrawTargetTiled.h
@@ -203,6 +203,10 @@ public:
   virtual already_AddRefed<DataSourceSurface> GetDataSurface()
   {
     RefPtr<DataSourceSurface> surf = Factory::CreateDataSourceSurface(GetSize(), GetFormat());
+    if (!surf) {
+      gfxCriticalError() << "DrawTargetTiled::GetDataSurface failed to allocate surface";
+      return nullptr;
+    }
 
     DataSourceSurface::MappedSurface mappedSurf;
     if (!surf->Map(DataSourceSurface::MapType::WRITE, &mappedSurf)) {
diff --git a/gfx/2d/FilterProcessingSIMD-inl.h b/gfx/2d/FilterProcessingSIMD-inl.h
index dfd135ae52b8..247d3811ac20 100644
--- a/gfx/2d/FilterProcessingSIMD-inl.h
+++ b/gfx/2d/FilterProcessingSIMD-inl.h
@@ -17,9 +17,13 @@ inline already_AddRefed<DataSourceSurface>
 ConvertToB8G8R8A8_SIMD(SourceSurface* aSurface)
 {
   IntSize size = aSurface->GetSize();
-  RefPtr<DataSourceSurface> input = aSurface->GetDataSurface();
   RefPtr<DataSourceSurface> output =
     Factory::CreateDataSourceSurface(size, SurfaceFormat::B8G8R8A8);
+  if (!output) {
+    return nullptr;
+  }
+
+  RefPtr<DataSourceSurface> input = aSurface->GetDataSurface();
   DataSourceSurface::ScopedMap inputMap(input, DataSourceSurface::READ);
   DataSourceSurface::ScopedMap outputMap(output, DataSourceSurface::READ_WRITE);
   uint8_t *inputData = inputMap.GetData();
diff --git a/gfx/layers/AsyncCanvasRenderer.cpp b/gfx/layers/AsyncCanvasRenderer.cpp
index e2023c26c556..4375cb7af158 100644
--- a/gfx/layers/AsyncCanvasRenderer.cpp
+++ b/gfx/layers/AsyncCanvasRenderer.cpp
@@ -161,6 +161,9 @@ AsyncCanvasRenderer::CopyFromTextureClient(TextureClient* aTextureClient)
   {
     uint32_t stride = gfx::GetAlignedStride<8>(size.width, BytesPerPixel(format));
     mSurfaceForBasic = gfx::Factory::CreateDataSourceSurfaceWithStride(size, format, stride);
+    if (!mSurfaceForBasic) {
+      return;
+    }
   }
 
   MappedTextureData mapped;
@@ -244,6 +247,9 @@ AsyncCanvasRenderer::GetSurface()
       gfx::Factory::CreateDataSourceSurfaceWithStride(mSurfaceForBasic->GetSize(),
                                                       mSurfaceForBasic->GetFormat(),
                                                       srcMap.GetStride());
+    if (NS_WARN_IF(!result)) {
+      return nullptr;
+    }
 
     gfx::DataSourceSurface::ScopedMap dstMap(result, gfx::DataSourceSurface::WRITE);