From d49143cc9260881f393587f9bc65397f6e16a3ac Mon Sep 17 00:00:00 2001 From: Calixte Date: Thu, 7 Apr 2022 19:46:47 +0000 Subject: [PATCH] Bug 1763424 - Limit ImageData typed array to 2Gb when created using its constructor r=edgar - it's likely an oblivion from the fix for bug 1716622; - so just add a check on the final length of the buffer to be under the limit of 2Gb. Differential Revision: https://phabricator.services.mozilla.com/D143066 --- dom/bindings/test/test_large_imageData.html | 9 +++++++++ dom/canvas/ImageData.cpp | 5 ++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/dom/bindings/test/test_large_imageData.html b/dom/bindings/test/test_large_imageData.html index c4dd03d91abf..68cb4bd50b9a 100644 --- a/dom/bindings/test/test_large_imageData.html +++ b/dom/bindings/test/test_large_imageData.html @@ -51,6 +51,15 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1716622 ok(ex.toString().includes("negative or greater than the allowed amount"), "Expected getImageData exception"); + ex = null; + try { + new ImageData(23175, 23175); + } catch (e) { + ex = e; + } + ok(ex.toString().includes("negative or greater than the allowed amount"), + "Expected ImageData constructor exception"); + SimpleTest.finish(); } go(); diff --git a/dom/canvas/ImageData.cpp b/dom/canvas/ImageData.cpp index 7b0cead8fcec..b4a0a403e5d6 100644 --- a/dom/canvas/ImageData.cpp +++ b/dom/canvas/ImageData.cpp @@ -50,8 +50,11 @@ already_AddRefed ImageData::Constructor(const GlobalObject& aGlobal, aRv.Throw(NS_ERROR_DOM_INDEX_SIZE_ERR); return nullptr; } + + // Restrict the typed array length to INT32_MAX because that's all we support + // in dom::TypedArray::ComputeState. CheckedInt length = CheckedInt(aWidth) * aHeight * 4; - if (!length.isValid()) { + if (!length.isValid() || length.value() > INT32_MAX) { aRv.Throw(NS_ERROR_DOM_INDEX_SIZE_ERR); return nullptr; }