From c5aabd8c01375ba2f2b44db8f9cc335c43d3c9b2 Mon Sep 17 00:00:00 2001
From: Chris Pearce <chris@pearce.org.nz>
Date: Tue, 15 Nov 2011 09:35:46 +1300
Subject: [PATCH] Bug 701259 - Restrict BasicPlanarYCbCrImage scaling
 destination size. r=roc

---
 gfx/layers/basic/BasicImages.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/gfx/layers/basic/BasicImages.cpp b/gfx/layers/basic/BasicImages.cpp
index 25f768e3e47..d0d2c56a6ab 100644
--- a/gfx/layers/basic/BasicImages.cpp
+++ b/gfx/layers/basic/BasicImages.cpp
@@ -145,8 +145,9 @@ void
 BasicPlanarYCbCrImage::SetData(const Data& aData)
 {
   // Do some sanity checks to prevent integer overflow
-  if (aData.mYSize.width > 16384 || aData.mYSize.height > 16384) {
-    NS_ERROR("Illegal width or height");
+  if (aData.mYSize.width > PlanarYCbCrImage::MAX_DIMENSION ||
+      aData.mYSize.height > PlanarYCbCrImage::MAX_DIMENSION) {
+    NS_ERROR("Illegal image source width or height");
     return;
   }
   
@@ -159,6 +160,11 @@ BasicPlanarYCbCrImage::SetData(const Data& aData)
 
   gfxIntSize size(mScaleHint);
   gfxUtils::GetYCbCrToRGBDestFormatAndSize(aData, format, size);
+  if (size.width > PlanarYCbCrImage::MAX_DIMENSION ||
+      size.height > PlanarYCbCrImage::MAX_DIMENSION) {
+    NS_ERROR("Illegal image dest width or height");
+    return;
+  }
 
   mStride = gfxASurface::FormatStrideForWidth(format, size.width);
   mBuffer = AllocateBuffer(size.height * mStride);