<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><style type="text/css"><!--
#msg dl { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fc0 solid; padding: 6px; }
#msg ul, pre { overflow: auto; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<title>[20746] trunk</title>
</head>
<body>
<div id="msg">
<dl>
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/20746">20746</a></dd>
<dt>Author</dt> <dd>oliver</dd>
<dt>Date</dt> <dd>2007-04-05 23:45:53 -0700 (Thu, 05 Apr 2007)</dd>
</dl>
<h3>Log Message</h3>
<pre>2007-04-05 Oliver Hunt <oliver@apple.com>
Reviewed by Maciej.
WebCore:
Fix for rdar://problem/4849948 -- JSCanvasRenderingContext2D::drawImage
crashes when given invalid arguments.
JSCanvasRenderingContext2D frequently casts from JSValue* to JSObject*
and then checks isObject *after* the cast. JSObject::isObject is unsafe
if applied to a JSImmediate value (null, undefined, etc). This patch
corrects the logic in a number of places by performing the isObject check
before casting to JSObject.
* bindings/js/JSCanvasRenderingContext2DCustom.cpp:
(WebCore::JSCanvasRenderingContext2D::drawImage):
(WebCore::JSCanvasRenderingContext2D::drawImageFromRect):
(WebCore::JSCanvasRenderingContext2D::createPattern):
LayoutTests:
Layout tests for rdar://problem/4849948
Make sure we don't crash when passing invalid args to Canvas::drawImage
* fast/canvas/drawImage-with-invalid-args-expected.checksum: Added.
* fast/canvas/drawImage-with-invalid-args-expected.png: Added.
* fast/canvas/drawImage-with-invalid-args-expected.txt: Added.
* fast/canvas/drawImage-with-invalid-args.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkWebCoreChangeLog">trunk/WebCore/ChangeLog</a></li>
<li><a href="#trunkWebCorebindingsjsJSCanvasRenderingContext2DCustomcpp">trunk/WebCore/bindings/js/JSCanvasRenderingContext2DCustom.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfastcanvasdrawImagewithinvalidargsexpectedchecksum">trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args-expected.checksum</a></li>
<li><a href="#trunkLayoutTestsfastcanvasdrawImagewithinvalidargsexpectedpng">trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args-expected.png</a></li>
<li><a href="#trunkLayoutTestsfastcanvasdrawImagewithinvalidargsexpectedtxt">trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastcanvasdrawImagewithinvalidargshtml">trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (20745 => 20746)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2007-04-06 06:19:18 UTC (rev 20745)
+++ trunk/LayoutTests/ChangeLog 2007-04-06 06:45:53 UTC (rev 20746)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2007-04-05 Oliver Hunt <oliver@apple.com>
+
+ Reviewed by Maciej.
+
+ Layout tests for rdar://problem/4849948
+ Make sure we don't crash when passing invalid args to Canvas::drawImage
+
+ * fast/canvas/drawImage-with-invalid-args-expected.checksum: Added.
+ * fast/canvas/drawImage-with-invalid-args-expected.png: Added.
+ * fast/canvas/drawImage-with-invalid-args-expected.txt: Added.
+ * fast/canvas/drawImage-with-invalid-args.html: Added.
+
</ins><span class="cx"> 2007-04-05 Adele Peterson <adele@apple.com>
</span><span class="cx">
</span><span class="cx"> Reviewed by Oliver.
</span></span></pre></div>
<a id="trunkLayoutTestsfastcanvasdrawImagewithinvalidargsexpectedchecksum"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args-expected.checksum (0 => 20746)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args-expected.checksum (rev 0)
+++ trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args-expected.checksum 2007-04-06 06:45:53 UTC (rev 20746)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+7453d71ab2c36510a394a1093ee303fd
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="trunkLayoutTestsfastcanvasdrawImagewithinvalidargsexpectedpng"></a>
<div class="binary"><h4>Added: trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args-expected.png</h4>
<pre class="diff"><span>
<span class="cx">(Binary files differ)
</span></span></pre></div>
<span class="cx">Property changes on: trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args-expected.png
</span><span class="cx">___________________________________________________________________
</span><span class="cx">Name: svn:mime-type
</span><span class="cx"> + application/octet-stream
</span><a id="trunkLayoutTestsfastcanvasdrawImagewithinvalidargsexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args-expected.txt (0 => 20746)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args-expected.txt 2007-04-06 06:45:53 UTC (rev 20746)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+CONSOLE MESSAGE: line 55: TypeError: Value null (result of expression myImage.onload) is not object.
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+ RenderBlock {HTML} at (0,0) size 800x600
+ RenderBody {BODY} at (8,8) size 784x576
+ RenderBlock (anonymous) at (0,0) size 784x36
+ RenderText {#text} at (0,0) size 765x36
+ text run at (0,0) width 599: "This test merely ensures we don't crash when giving invalid arguments to Canvas::drawImage. "
+ text run at (599,0) width 166: "If you can see this without"
+ text run at (0,18) width 180: "crashing, the test has passed."
+ RenderBlock {P} at (0,52) size 784x150
+ RenderHTMLCanvas {CANVAS} at (0,0) size 150x150
+ RenderText {#text} at (0,0) size 0x0
+ RenderText {#text} at (0,0) size 0x0
+ RenderText {#text} at (0,0) size 0x0
</ins></span></pre></div>
<a id="trunkLayoutTestsfastcanvasdrawImagewithinvalidargshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args.html (0 => 20746)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args.html (rev 0)
+++ trunk/LayoutTests/fast/canvas/drawImage-with-invalid-args.html 2007-04-06 06:45:53 UTC (rev 20746)
</span><span class="lines">@@ -0,0 +1,57 @@
</span><ins>+<body onload="draw();">
+ This test merely ensures we don't crash when giving invalid arguments to Canvas::drawImage.
+ If you can see this without crashing, the test has passed.<p/>
+<canvas id="canvas" width="150" height="150"></canvas>
+<script>
+ // Create image
+ var myImage = new Image();
+ var img_src = 'resources/apple.gif';
+ myImage.src = img_src;
+
+ function draw() {
+ var ctx = document.getElementById('canvas').getContext('2d');
+
+ // draw image
+ try{
+ ctx.drawImage();
+ } catch (e) {
+ }
+ try{
+ ctx.drawImage(myImage);
+ } catch (e) {
+ }
+ try{
+ ctx.drawImage(myImage, 0);
+ } catch (e) {
+ }
+ try{
+ ctx.drawImage(myImage, 0, 0);
+ } catch (e) {
+ }
+ try{
+ ctx.drawImage(myImage, 0, 0, 20, 20);
+ } catch (e) {
+ }
+ try{
+ ctx.drawImage(null);
+ } catch (e) {
+ }
+ try{
+ ctx.drawImage(null, 0);
+ } catch (e) {
+ }
+ try{
+ ctx.drawImage(null, 0, 0);
+ } catch (e) {
+ }
+ try{
+ ctx.drawImage(null, 0, 0, 20, 20);
+ } catch (e) {
+ }
+ ctx.fillStyle = 'green';
+ ctx.fillRect(0,0,150,150);
+ }
+
+ myImage.onload(draw);
+</script>
+</body>
</ins></span></pre></div>
<a id="trunkWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/WebCore/ChangeLog (20745 => 20746)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebCore/ChangeLog 2007-04-06 06:19:18 UTC (rev 20745)
+++ trunk/WebCore/ChangeLog 2007-04-06 06:45:53 UTC (rev 20746)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2007-04-05 Oliver Hunt <oliver@apple.com>
+
+ Reviewed by Maciej.
+
+ Fix for rdar://problem/4849948 -- JSCanvasRenderingContext2D::drawImage
+ crashes when given invalid arguments.
+
+ JSCanvasRenderingContext2D frequently casts from JSValue* to JSObject*
+ and then checks isObject *after* the cast. JSObject::isObject is unsafe
+ if applied to a JSImmediate value (null, undefined, etc). This patch
+ corrects the logic in a number of places by performing the isObject check
+ before casting to JSObject.
+
+ * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
+ (WebCore::JSCanvasRenderingContext2D::drawImage):
+ (WebCore::JSCanvasRenderingContext2D::drawImageFromRect):
+ (WebCore::JSCanvasRenderingContext2D::createPattern):
+
</ins><span class="cx"> 2007-04-05 Adele Peterson <adele@apple.com>
</span><span class="cx">
</span><span class="cx"> Reviewed by Oliver.
</span></span></pre></div>
<a id="trunkWebCorebindingsjsJSCanvasRenderingContext2DCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/WebCore/bindings/js/JSCanvasRenderingContext2DCustom.cpp (20745 => 20746)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebCore/bindings/js/JSCanvasRenderingContext2DCustom.cpp 2007-04-06 06:19:18 UTC (rev 20745)
+++ trunk/WebCore/bindings/js/JSCanvasRenderingContext2DCustom.cpp 2007-04-06 06:45:53 UTC (rev 20746)
</span><span class="lines">@@ -181,9 +181,11 @@
</span><span class="cx"> // drawImage(img, sx, sy, sw, sh, dx, dy, dw, dh)
</span><span class="cx"> // Composite operation is specified with globalCompositeOperation.
</span><span class="cx"> // The img parameter can be a <img> or <canvas> element.
</span><del>- JSObject* o = static_cast<JSObject*>(args[0]);
- if (!o->isObject())
</del><ins>+ JSValue* value = args[0];
+ if (!value->isObject())
</ins><span class="cx"> return throwError(exec, TypeError);
</span><ins>+ JSObject* o = static_cast<JSObject*>(value);
+
</ins><span class="cx"> ExceptionCode ec = 0;
</span><span class="cx"> if (o->inherits(&JSHTMLImageElement::info)) {
</span><span class="cx"> HTMLImageElement* imgElt = static_cast<HTMLImageElement*>(static_cast<JSHTMLElement*>(args[0])->impl());
</span><span class="lines">@@ -238,10 +240,12 @@
</span><span class="cx"> JSValue* JSCanvasRenderingContext2D::drawImageFromRect(ExecState* exec, const List& args)
</span><span class="cx"> {
</span><span class="cx"> CanvasRenderingContext2D* context = impl();
</span><del>-
- JSObject* o = static_cast<JSObject*>(args[0]);
- if (!o->isObject())
</del><ins>+
+ JSValue* value = args[0];
+ if (!value->isObject())
</ins><span class="cx"> return throwError(exec, TypeError);
</span><ins>+ JSObject* o = static_cast<JSObject*>(value);
+
</ins><span class="cx"> if (!o->inherits(&JSHTMLImageElement::info))
</span><span class="cx"> return throwError(exec, TypeError);
</span><span class="cx"> context->drawImageFromRect(static_cast<HTMLImageElement*>(static_cast<JSHTMLElement*>(args[0])->impl()),
</span><span class="lines">@@ -303,9 +307,11 @@
</span><span class="cx"> {
</span><span class="cx"> CanvasRenderingContext2D* context = impl();
</span><span class="cx">
</span><del>- JSObject* o = static_cast<JSObject*>(args[0]);
- if (!o->isObject())
</del><ins>+ JSValue* value = args[0];
+ if (!value->isObject())
</ins><span class="cx"> return throwError(exec, TypeError);
</span><ins>+ JSObject* o = static_cast<JSObject*>(value);
+
</ins><span class="cx"> if (o->inherits(&JSHTMLImageElement::info)) {
</span><span class="cx"> ExceptionCode ec;
</span><span class="cx"> JSValue* pattern = toJS(exec,
</span></span></pre>
</div>
</div>
</body>
</html>