Bug 1763424 - Limit ImageData typed array to 2Gb when created using its constructor r=edgar

- it's likely an oblivion from the fix for bug 1716622; - so just add a check on the final length of the buffer to be under the limit of 2Gb. Differential Revision: https://phabricator.services.mozilla.com/D143066
2022-04-07 19:46:47 +00:00 · 2022-04-07 19:46:47 +00:00 · d49143cc92
--- a/dom/bindings/test/test_large_imageData.html
+++ b/dom/bindings/test/test_large_imageData.html
@ -51,6 +51,15 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1716622
      ok(ex.toString().includes("negative or greater than the allowed amount"),
         "Expected getImageData exception");

+      ex = null;
+      try {
+        new ImageData(23175, 23175);
+      } catch (e) {
+        ex = e;
+      }
+      ok(ex.toString().includes("negative or greater than the allowed amount"),
+         "Expected ImageData constructor exception");
+
      SimpleTest.finish();
    }
    go();
--- a/dom/canvas/ImageData.cpp
+++ b/dom/canvas/ImageData.cpp
@ -50,8 +50,11 @@ already_AddRefed<ImageData> ImageData::Constructor(const GlobalObject& aGlobal,
    aRv.Throw(NS_ERROR_DOM_INDEX_SIZE_ERR);
    return nullptr;
  }
+
+  // Restrict the typed array length to INT32_MAX because that's all we support
+  // in dom::TypedArray::ComputeState.
  CheckedInt<uint32_t> length = CheckedInt<uint32_t>(aWidth) * aHeight * 4;
-  if (!length.isValid()) {
+  if (!length.isValid() || length.value() > INT32_MAX) {
    aRv.Throw(NS_ERROR_DOM_INDEX_SIZE_ERR);
    return nullptr;
  }