mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-17 15:25:52 +00:00
Bug 584861 - Fix CheckSaneSubrectSize - r=vladimir a=blocking2.0
This commit is contained in:
parent
707399e5dc
commit
da1a0e7cc3
@ -40,6 +40,8 @@
|
||||
|
||||
#include "prtypes.h"
|
||||
|
||||
#include "CheckedInt.h"
|
||||
|
||||
class nsHTMLCanvasElement;
|
||||
class nsIPrincipal;
|
||||
|
||||
@ -50,16 +52,15 @@ public:
|
||||
// Check that the rectangle [x,y,w,h] is a subrectangle of [0,0,realWidth,realHeight]
|
||||
|
||||
static PRBool CheckSaneSubrectSize(PRInt32 x, PRInt32 y, PRInt32 w, PRInt32 h,
|
||||
PRInt32 realWidth, PRInt32 realHeight)
|
||||
{
|
||||
if (w <= 0 || h <= 0 || x < 0 || y < 0)
|
||||
return PR_FALSE;
|
||||
PRInt32 realWidth, PRInt32 realHeight) {
|
||||
CheckedInt32 checked_x_plus_w = CheckedInt32(x) + w;
|
||||
CheckedInt32 checked_y_plus_h = CheckedInt32(y) + h;
|
||||
|
||||
if (x >= realWidth || w > (realWidth - x) ||
|
||||
y >= realHeight || h > (realHeight - y))
|
||||
return PR_FALSE;
|
||||
|
||||
return PR_TRUE;
|
||||
return w >= 0 && h >= 0 && x >= 0 && y >= 0 &&
|
||||
checked_x_plus_w.valid() &&
|
||||
checked_x_plus_w.value() <= realWidth &&
|
||||
checked_y_plus_h.valid() &&
|
||||
checked_y_plus_h.value() <= realHeight;
|
||||
}
|
||||
|
||||
// Flag aCanvasElement as write-only if drawing an image with aPrincipal
|
||||
|
@ -3951,6 +3951,9 @@ nsCanvasRenderingContext2D::GetImageData_explicit(PRInt32 x, PRInt32 y, PRUint32
|
||||
return NS_ERROR_DOM_SECURITY_ERR;
|
||||
}
|
||||
|
||||
if (w == 0 || h == 0)
|
||||
return NS_ERROR_DOM_SYNTAX_ERR;
|
||||
|
||||
if (!CanvasUtils::CheckSaneSubrectSize (x, y, w, h, mWidth, mHeight))
|
||||
return NS_ERROR_DOM_SYNTAX_ERR;
|
||||
|
||||
@ -4042,6 +4045,9 @@ nsCanvasRenderingContext2D::PutImageData_explicit(PRInt32 x, PRInt32 y, PRUint32
|
||||
if (!mValid)
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
if (w == 0 || h == 0)
|
||||
return NS_ERROR_DOM_SYNTAX_ERR;
|
||||
|
||||
if (!CanvasUtils::CheckSaneSubrectSize (x, y, w, h, mWidth, mHeight))
|
||||
return NS_ERROR_DOM_SYNTAX_ERR;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user