Google Git
Sign in
webkit / WebKit / 9246696188aac40a4562532ebe60fd81f30b5ce7
commit9246696188aac40a4562532ebe60fd81f30b5ce7[log] [tgz]
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Jul 26 18:58:32 2016 +0000
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Jul 26 18:58:32 2016 +0000
treeab7a77fb0e6faf59fe08de6d69c53711ccb39cea
parent60b233a3e18f3216b7e9fb22a668d5d5766b4dab [diff]
Infinite Canvas context save() causes WebKit to crash
https://bugs.webkit.org/show_bug.cgi?id=159586
<rdar://problem/26759984>

Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2016-07-26
Reviewed by Simon Fraser.

Source/WebCore:

Limit the size of the canvas context state stack to 1024 * 16 saves. All
the saves which come after that limit will stay unrealized. The restore()
should not have any effect till there is no unrealized saves.

Test: fast/canvas/canvas-context-save-limit.html

* html/canvas/CanvasRenderingContext2D.cpp:
(WebCore::CanvasRenderingContext2D::realizeSaves):
(WebCore::CanvasRenderingContext2D::realizeSavesLoop):
* html/canvas/CanvasRenderingContext2D.h:

LayoutTests:

* fast/canvas/canvas-context-save-limit-expected.txt: Added.
* fast/canvas/canvas-context-save-limit.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@203729 268f45cc-cd09-0410-ab3c-d52691b4dbfc
6 files changed
tree: ab7a77fb0e6faf59fe08de6d69c53711ccb39cea
  1. Examples/
  2. LayoutTests/
  3. ManualTests/
  4. PerformanceTests/
  5. Source/
  6. Tools/
  7. WebKit.xcworkspace/
  8. WebKitLibraries/
  9. Websites/
  10. .dir-locals.el
  11. .gitattributes
  12. .gitignore
  13. ChangeLog
  14. ChangeLog-2012-05-22
  15. CMakeLists.txt
  16. Makefile
  17. Makefile.shared