2011-05-26 James Robinson <jamesr@chromium.org>
Reviewed by Darin Fisher.
[skia] Add area check to ImageBufferData::getImageData
https://bugs.webkit.org/show_bug.cgi?id=61375
No change in behavior, just a sanity check.
* platform/graphics/skia/ImageBufferSkia.cpp:
(WebCore::getImageData):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@87439 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index c443ada..7a1f751 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2011-05-26 James Robinson <jamesr@chromium.org>
+
+ Reviewed by Darin Fisher.
+
+ [skia] Add area check to ImageBufferData::getImageData
+ https://bugs.webkit.org/show_bug.cgi?id=61375
+
+ No change in behavior, just a sanity check.
+
+ * platform/graphics/skia/ImageBufferSkia.cpp:
+ (WebCore::getImageData):
+
2011-05-26 Levi Weintraub <leviw@chromium.org>
Reviewed by Eric Seidel.
diff --git a/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp b/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp
index ceb839a..b9a8259 100644
--- a/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp
+++ b/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp
@@ -168,6 +168,10 @@
PassRefPtr<ByteArray> getImageData(const IntRect& rect, SkDevice& srcDevice,
const IntSize& size)
{
+ float area = 4.0f * rect.width() * rect.height();
+ if (area > static_cast<float>(std::numeric_limits<int>::max()))
+ return 0;
+
RefPtr<ByteArray> result = ByteArray::create(rect.width() * rect.height() * 4);
SkBitmap::Config srcConfig = srcDevice.accessBitmap(false).config();
