Bug 584861 - Fix CheckSaneSubrectSize - r=vladimir a=blocking2.0

content/canvas/src/CanvasUtils.h

@@ -40,6 +40,8 @@
 
 #include "prtypes.h"
 
+#include "CheckedInt.h"
+
 class nsHTMLCanvasElement;
 class nsIPrincipal;
 
@@ -50,16 +52,15 @@ public:
     // Check that the rectangle [x,y,w,h] is a subrectangle of [0,0,realWidth,realHeight]
 
     static PRBool CheckSaneSubrectSize(PRInt32 x, PRInt32 y, PRInt32 w, PRInt32 h,
-                                       PRInt32 realWidth, PRInt32 realHeight)
-    {
-        if (w <= 0 || h <= 0 || x < 0 || y < 0)
-            return PR_FALSE;
+                                       PRInt32 realWidth, PRInt32 realHeight) {
+        CheckedInt32 checked_x_plus_w  = CheckedInt32(x) + w;
+        CheckedInt32 checked_y_plus_h  = CheckedInt32(y) + h;
 
-        if (x >= realWidth  || w > (realWidth - x) ||
-            y >= realHeight || h > (realHeight - y))
-            return PR_FALSE;
-
-        return PR_TRUE;
+        return w >= 0 && h >= 0 && x >= 0 && y >= 0 &&
+            checked_x_plus_w.valid() &&
+            checked_x_plus_w.value() <= realWidth &&
+            checked_y_plus_h.valid() &&
+            checked_y_plus_h.value() <= realHeight;
     }
 
     // Flag aCanvasElement as write-only if drawing an image with aPrincipal

content/canvas/src/nsCanvasRenderingContext2D.cpp

@@ -3951,6 +3951,9 @@ nsCanvasRenderingContext2D::GetImageData_explicit(PRInt32 x, PRInt32 y, PRUint32
         return NS_ERROR_DOM_SECURITY_ERR;
     }
 
+    if (w == 0 || h == 0)
+        return NS_ERROR_DOM_SYNTAX_ERR;
+
     if (!CanvasUtils::CheckSaneSubrectSize (x, y, w, h, mWidth, mHeight))
         return NS_ERROR_DOM_SYNTAX_ERR;
 
@@ -4042,6 +4045,9 @@ nsCanvasRenderingContext2D::PutImageData_explicit(PRInt32 x, PRInt32 y, PRUint32
     if (!mValid)
         return NS_ERROR_FAILURE;
 
+    if (w == 0 || h == 0)
+        return NS_ERROR_DOM_SYNTAX_ERR;
+
     if (!CanvasUtils::CheckSaneSubrectSize (x, y, w, h, mWidth, mHeight))
         return NS_ERROR_DOM_SYNTAX_ERR;